Documentation Index
Fetch the complete documentation index at: https://mintlify.com/xmtp/libxmtp/llms.txt
Use this file to discover all available pages before exploring further.
Overview
LibXMTP implements a flexible permission system for group management. Permissions are stored as MLS Unknown Group Context Extensions and control who can perform various group actions.
PolicySet
The PolicySet struct defines all permission policies for a group.
pub struct PolicySet {
pub add_member_policy: MembershipPolicies,
pub remove_member_policy: MembershipPolicies,
pub update_metadata_policy: HashMap<String, MetadataPolicies>,
pub add_admin_policy: PermissionsPolicies,
pub remove_admin_policy: PermissionsPolicies,
pub update_permissions_policy: PermissionsPolicies,
}
Fields
| Field | Type | Description |
|---|
add_member_policy | MembershipPolicies | Who can add members |
remove_member_policy | MembershipPolicies | Who can remove members |
update_metadata_policy | HashMap<String, MetadataPolicies> | Per-field metadata update policies |
add_admin_policy | PermissionsPolicies | Who can add admins |
remove_admin_policy | PermissionsPolicies | Who can remove admins |
update_permissions_policy | PermissionsPolicies | Who can update permission policies |
Methods
new
pub fn new(
add_member_policy: MembershipPolicies,
remove_member_policy: MembershipPolicies,
update_metadata_policy: HashMap<String, MetadataPolicies>,
add_admin_policy: PermissionsPolicies,
remove_admin_policy: PermissionsPolicies,
update_permissions_policy: PermissionsPolicies,
) -> Self
new_dm
Creates a PolicySet for DM conversations (all membership/admin actions denied).
evaluate_commit
pub fn evaluate_commit(&self, commit: &ValidatedCommit) -> bool
commit - Validated commit to evaluate
Returns: true if commit is valid, false otherwise
Validation Rules:
- Add member policy not violated
- Remove member policy not violated (super admins cannot be removed)
- Metadata update policies not violated
- Admin add/remove policies not violated
- Super admin changes require super admin privileges
- Last super admin cannot be removed
- Permission changes require super admin privileges
to_bytes / from_bytes
pub fn to_bytes(&self) -> Result<Vec<u8>, PolicyError>
pub fn from_bytes(bytes: &[u8]) -> Result<Self, PolicyError>
pub enum PreconfiguredPolicies {
Default, // "All Members" policy
AdminsOnly, // "Admin Only" policy
}
to_policy_set
pub fn to_policy_set(&self) -> PolicySet
from_policy_set
pub fn from_policy_set(policy_set: &PolicySet) -> Result<Self, PolicyError>
All Members (Default)
The default preconfigured policy allows broad member participation:
| Action | Policy |
|---|
| Add members | Allow (any member) |
| Remove members | Allow if admin or super admin |
| Update metadata (general) | Allow (any member) |
| Update disappearing messages | Allow if admin or super admin |
| Update protocol version | Allow if super admin |
| Add admin | Allow if super admin |
| Remove admin | Allow if super admin |
| Update permissions | Allow if super admin |
Admin Only
The admin-only policy restricts most actions to admins:
| Action | Policy |
|---|
| Add members | Allow if admin or super admin |
| Remove members | Allow if admin or super admin |
| Update metadata (all fields) | Allow if admin or super admin |
| Update protocol version | Allow if super admin |
| Add admin | Allow if super admin |
| Remove admin | Allow if super admin |
| Update permissions | Allow if super admin |
Membership Policies
MembershipPolicies Enum
pub enum MembershipPolicies {
Standard(BasePolicies),
AndCondition(AndCondition),
AnyCondition(AnyCondition),
}
Factory Methods
pub fn allow() -> Self
pub fn deny() -> Self
pub fn allow_if_actor_admin() -> Self
pub fn allow_if_actor_super_admin() -> Self
pub fn and(policies: Vec<MembershipPolicies>) -> Self
pub fn any(policies: Vec<MembershipPolicies>) -> Self
BasePolicies
pub enum BasePolicies {
Allow,
Deny,
AllowSameMember,
AllowIfAdminOrSuperAdmin,
AllowIfSuperAdmin,
}
- Allow - Allow unconditionally
- Deny - Deny unconditionally
- AllowSameMember - Allow if change applies to actor’s own installations
- AllowIfAdminOrSuperAdmin - Allow if actor is admin or super admin
- AllowIfSuperAdmin - Allow if actor is super admin
MembershipPolicy Trait
pub trait MembershipPolicy {
fn evaluate(&self, actor: &CommitParticipant, change: &Inbox) -> bool;
fn to_proto(&self) -> Result<MembershipPolicyProto, PolicyError>;
}
pub enum MetadataPolicies {
Standard(MetadataBasePolicies),
AndCondition(MetadataAndCondition),
AnyCondition(MetadataAnyCondition),
}
Factory Methods
pub fn allow() -> Self
pub fn deny() -> Self
pub fn allow_if_actor_admin() -> Self
pub fn allow_if_actor_super_admin() -> Self
pub fn and(policies: Vec<MetadataPolicies>) -> Self
pub fn any(policies: Vec<MetadataPolicies>) -> Self
default_map
pub fn default_map(policies: MetadataPolicies) -> HashMap<String, MetadataPolicies>
MessageDisappearInNS and MessageDisappearFromNS default to admin-onlyMinimumSupportedProtocolVersion defaults to super-admin-only- Other fields use the provided policy
pub enum MetadataBasePolicies {
Allow,
Deny,
AllowIfActorAdminOrSuperAdmin,
AllowIfActorSuperAdmin,
}
pub trait MetadataPolicy {
fn evaluate(&self, actor: &CommitParticipant, change: &MetadataFieldChange) -> bool;
fn to_proto(&self) -> Result<MetadataPolicyProto, PolicyError>;
}
Permissions Policies
PermissionsPolicies Enum
pub enum PermissionsPolicies {
Standard(PermissionsBasePolicies),
AndCondition(PermissionsAndCondition),
AnyCondition(PermissionsAnyCondition),
}
Factory Methods
pub fn deny() -> Self
pub fn allow_if_actor_admin() -> Self
pub fn allow_if_actor_super_admin() -> Self
pub fn and(policies: Vec<PermissionsPolicies>) -> Self
pub fn any(policies: Vec<PermissionsPolicies>) -> Self
PermissionsBasePolicies
pub enum PermissionsBasePolicies {
Deny,
AllowIfActorAdminOrSuperAdmin,
AllowIfActorSuperAdmin,
}
PermissionsPolicy Trait
pub trait PermissionsPolicy {
fn evaluate(&self, actor: &CommitParticipant) -> bool;
fn to_proto(&self) -> Result<PermissionsPolicyProto, PolicyError>;
}
Composite Policies
AndCondition
Evaluates to true if all contained policies evaluate to true.
let policy = MembershipPolicies::and(vec![
MembershipPolicies::allow_if_actor_admin(),
// additional policies...
]);
AnyCondition
Evaluates to true if any contained policy evaluates to true.
let policy = MembershipPolicies::any(vec![
MembershipPolicies::allow_if_actor_admin(),
MembershipPolicies::allow_if_actor_super_admin(),
]);
GroupMutablePermissions
Wrapper struct for storing permissions as an MLS extension.
pub struct GroupMutablePermissions {
pub policies: PolicySet,
}
Methods
new
pub fn new(policies: PolicySet) -> Self
pub fn preconfigured_policy(
&self,
) -> Result<PreconfiguredPolicies, GroupMutablePermissionsError>
Conversions
impl TryFrom<GroupMutablePermissions> for Vec<u8>
impl TryFrom<&Vec<u8>> for GroupMutablePermissions
impl TryFrom<&Extensions> for GroupMutablePermissions
impl TryFrom<&OpenMlsGroup> for GroupMutablePermissions
Helper Function
pub fn extract_group_permissions(
group: &OpenMlsGroup,
) -> Result<GroupMutablePermissions, GroupMutablePermissionsError>
Admin Roles
Admin
- Can perform actions allowed by admin-or-super-admin policies
- Cannot modify super admins
- Cannot change permission policies
Super Admin
- Can perform all admin actions
- Can add/remove other super admins (but not the last one)
- Can add/remove regular admins
- Can change permission policies
- Automatically set as the group creator
- Cannot be removed from the group (must remain at least one)
- Cannot leave the group (must be demoted first)
When evaluating metadata changes for fields without explicit policies:
- Fields starting with
_ (super admin prefix): Require super admin
- All other fields: Require admin or super admin
Error Handling
PolicyError
pub enum PolicyError {
Serialization(prost::EncodeError),
Deserialization(prost::DecodeError),
MissingMetadataPolicyField { name: String },
InvalidPolicy,
InvalidPresetPolicy,
InvalidMetadataPolicy,
InvalidMembershipPolicy,
InvalidPermissionsPolicy,
// ... proto conversion errors
}
GroupMutablePermissionsError
pub enum GroupMutablePermissionsError {
Serialization(prost::EncodeError),
Deserialization(prost::DecodeError),
Policy(PolicyError),
InvalidConversationType,
MissingPolicies,
MissingExtension,
InvalidPermissionPolicyOption,
}
Usage Examples
Creating a Custom Policy
use xmtp_mls::groups::group_permissions::*;
let custom_policy = PolicySet::new(
MembershipPolicies::allow_if_actor_admin(), // Add members: admin only
MembershipPolicies::allow_if_actor_admin(), // Remove members: admin only
MetadataPolicies::default_map(MetadataPolicies::allow()), // Metadata: allow all
PermissionsPolicies::allow_if_actor_super_admin(), // Add admin: super admin only
PermissionsPolicies::allow_if_actor_super_admin(), // Remove admin: super admin only
PermissionsPolicies::allow_if_actor_super_admin(), // Update permissions: super admin only
);
let default_policy = PreconfiguredPolicies::Default.to_policy_set();
let admin_only_policy = PreconfiguredPolicies::AdminsOnly.to_policy_set();
let permissions = extract_group_permissions(&mls_group)?;
let policy_set = &permissions.policies;
if let Ok(preset) = permissions.preconfigured_policy() {
println!("Using preset: {:?}", preset);
}
Source References
- PolicySet:
crates/xmtp_mls/src/groups/group_permissions.rs:884
- Preconfigured Policies:
crates/xmtp_mls/src/groups/group_permissions.rs:1311
- Membership Policies:
crates/xmtp_mls/src/groups/group_permissions.rs:670
- Metadata Policies:
crates/xmtp_mls/src/groups/group_permissions.rs:173
- Permissions Policies:
crates/xmtp_mls/src/groups/group_permissions.rs:430
