Add spec for MSC4163: Make ACLs apply to EDUs (#2004)

Signed-off-by: Johannes Marbach <[email protected]>

Author: Johennes

changelogs/server_server/newsfragments/2004.feature

@@ -0,0 +1 @@
+Make ACLs apply to EDUs as per [MSC4163](https://github.com/matrix-org/matrix-spec-proposals/pull/4163).

content/server-server-api.md

@@ -1228,7 +1228,6 @@ of `M_FORBIDDEN`.
 
 The following endpoint prefixes MUST be protected:
 
--   `/_matrix/federation/v1/send` (on a per-PDU basis)
 -   `/_matrix/federation/v1/make_join`
 -   `/_matrix/federation/v1/make_leave`
 -   `/_matrix/federation/v1/send_join`
@@ -1245,6 +1244,22 @@ The following endpoint prefixes MUST be protected:
 -   `/_matrix/federation/v1/event_auth`
 -   `/_matrix/federation/v1/get_missing_events`
 
+Additionally the [`/_matrix/federation/v1/send/{txnId}`](#put_matrixfederationv1sendtxnid)
+endpoint MUST be protected as follows:
+
+-   ACLs MUST be applied to all PDUs on a per-PDU basis. If the sending
+    server is denied access to the room identified by `room_id`, the PDU
+    MUST be ignored with an appropriate error included in the response
+    for the respective event ID.
+-   ACLs MUST be applied to all EDUs that are local to a specific room:
+
+    -   For [typing notifications (`m.typing`)](#typing-notifications), if
+        the sending server is denied access to the room identified by
+        `room_id`, the EDU MUST be ignored.
+    -   For [receipts (`m.receipt`)](#receipts), all receipts for a particular
+        room ID MUST be ignored if the sending server is denied access to
+        the room identified by that ID.
+
 ## Signing Events
 
 Signing events is complicated by the fact that servers can choose to