From abdda6cf323a519e9c96900169cc346c9d47fce5 Mon Sep 17 00:00:00 2001 From: strawberry Date: Sun, 26 May 2024 22:59:13 -0400 Subject: [PATCH] check invited user's server against ACLs on /invite Signed-off-by: strawberry --- src/api/server_server.rs | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/api/server_server.rs b/src/api/server_server.rs index bb6306e5..c9069fa1 100644 --- a/src/api/server_server.rs +++ b/src/api/server_server.rs @@ -1765,6 +1765,21 @@ pub(crate) async fn create_invite_route(body: Ruma) let mut signed_event = utils::to_canonical_object(&body.event) .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Invite event is invalid."))?; + let invited_user: OwnedUserId = serde_json::from_value( + signed_event + .get("state_key") + .ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Event had no state_key field."))? + .clone() + .into(), + ) + .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "state_key is not a user id."))?; + + // ACL check the invited user's server + services() + .rooms + .event_handler + .acl_check(invited_user.server_name(), &body.room_id)?; + ruma::signatures::hash_and_sign_event( services().globals.server_name().as_str(), services().globals.keypair(), @@ -1793,15 +1808,6 @@ pub(crate) async fn create_invite_route(body: Ruma) ) .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "sender is not a user id."))?; - let invited_user: Box<_> = serde_json::from_value( - signed_event - .get("state_key") - .ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Event had no state_key field."))? - .clone() - .into(), - ) - .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "state_key is not a user id."))?; - if services().rooms.metadata.is_banned(&body.room_id)? && !services().users.is_admin(&invited_user)? { return Err(Error::BadRequest( ErrorKind::forbidden(),