config option to block non-admin room invites

works just like block_non_admin_invites from synapse Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-03-02 21:45:08 -05:00 · 2024-03-02 21:45:08 -05:00 · ea66bff46b
commit ea66bff46b
parent c97483dbd3
5 changed files with 34 additions and 0 deletions
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@ -152,6 +152,11 @@ registration_token = "change this token for something specific to your server"
 # defaults to true
 # allow_room_creation = true

+# controls whether non-admin local users are forbidden from sending room invites (local and remote),
+# AND rejects all incoming remote/federation room invites for all users (including admins).
+# defaults to false
+# block_non_admin_invites = falsse
+
 # Set this to true to allow your server's public room directory to be federated.
 # Set this to false to protect against /publicRooms spiders, but will forbid external users
 # from viewing your server's public room directory. If federation is disabled entirely
--- a/src/api/client_server/membership.rs
+++ b/src/api/client_server/membership.rs
@ -190,6 +190,17 @@ pub async fn invite_user_route(
 ) -> Result<invite_user::v3::Response> {
    let sender_user = body.sender_user.as_ref().expect("user is authenticated");

+    if !services().users.is_admin(sender_user)? && services().globals.block_non_admin_invites() {
+        info!(
+            "User {sender_user} is not an admin and attempted to send an invite to room {}",
+            &body.room_id
+        );
+        return Err(Error::BadRequest(
+            ErrorKind::Forbidden,
+            "Invites are not allowed on this server.",
+        ));
+    }
+
    if let invite_user::v3::InvitationRecipient::UserId { user_id } = &body.recipient {
        invite_helper(
            sender_user,
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@ -1845,6 +1845,13 @@ pub async fn create_invite_route(
        .as_ref()
        .expect("server is authenticated");

+    if services().globals.block_non_admin_invites() {
+        info!("Received remote invite from server {} for room {}, but \"block_non_admin_invites\" is enabled, rejecting.", &sender_servername, &body.room_id);
+        return Err(Error::BadRequest(
+            ErrorKind::Forbidden,
+            "This server does not allow room invites.",
+        ));
+    }
    services()
        .rooms
        .event_handler
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -163,6 +163,9 @@ pub struct Config {
    #[serde(with = "serde_regex")]
    pub forbidden_usernames: RegexSet,

+    #[serde(default)]
+    pub block_non_admin_invites: bool,
+
    #[serde(flatten)]
    pub catchall: BTreeMap<String, IgnoredAny>,
 }
@ -277,6 +280,10 @@ impl fmt::Display for Config {
                "Allow local presence requests (updates)",
                &self.allow_local_presence.to_string(),
            ),
+            (
+                "Block non-admin room invites (local and remote) and block all incoming remote invites",
+                &self.block_non_admin_invites.to_string(),
+            ),
            (
                "Allow device name federation",
                &self.allow_device_name_federation.to_string(),
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -471,6 +471,10 @@ impl Service<'_> {
        &self.config.ip_range_denylist
    }

+    pub fn block_non_admin_invites(&self) -> bool {
+        self.config.block_non_admin_invites
+    }
+
    pub fn supported_room_versions(&self) -> Vec<RoomVersionId> {
        let mut room_versions: Vec<RoomVersionId> = vec![];
        room_versions.extend(self.stable_room_versions.clone());