From ea66bff46b1b677903815faac182a26688f67d30 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Sat, 2 Mar 2024 21:45:08 -0500
Subject: [PATCH] config option to block non-admin room invites

works just like block_non_admin_invites from synapse

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 conduwuit-example.toml              |  5 +++++
 src/api/client_server/membership.rs | 11 +++++++++++
 src/api/server_server.rs            |  7 +++++++
 src/config/mod.rs                   |  7 +++++++
 src/service/globals/mod.rs          |  4 ++++
 5 files changed, 34 insertions(+)

diff --git a/conduwuit-example.toml b/conduwuit-example.toml
index dea3377e..1a80bf71 100644
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -152,6 +152,11 @@ registration_token = "change this token for something specific to your server"
 # defaults to true
 # allow_room_creation = true
 
+# controls whether non-admin local users are forbidden from sending room invites (local and remote),
+# AND rejects all incoming remote/federation room invites for all users (including admins).
+# defaults to false
+# block_non_admin_invites = falsse
+
 # Set this to true to allow your server's public room directory to be federated.
 # Set this to false to protect against /publicRooms spiders, but will forbid external users
 # from viewing your server's public room directory. If federation is disabled entirely
diff --git a/src/api/client_server/membership.rs b/src/api/client_server/membership.rs
index 92f6878b..1081a6fd 100644
--- a/src/api/client_server/membership.rs
+++ b/src/api/client_server/membership.rs
@@ -190,6 +190,17 @@ pub async fn invite_user_route(
 ) -> Result<invite_user::v3::Response> {
     let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 
+    if !services().users.is_admin(sender_user)? && services().globals.block_non_admin_invites() {
+        info!(
+            "User {sender_user} is not an admin and attempted to send an invite to room {}",
+            &body.room_id
+        );
+        return Err(Error::BadRequest(
+            ErrorKind::Forbidden,
+            "Invites are not allowed on this server.",
+        ));
+    }
+
     if let invite_user::v3::InvitationRecipient::UserId { user_id } = &body.recipient {
         invite_helper(
             sender_user,
diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index e4f8cbb1..7c1480d1 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1845,6 +1845,13 @@ pub async fn create_invite_route(
         .as_ref()
         .expect("server is authenticated");
 
+    if services().globals.block_non_admin_invites() {
+        info!("Received remote invite from server {} for room {}, but \"block_non_admin_invites\" is enabled, rejecting.", &sender_servername, &body.room_id);
+        return Err(Error::BadRequest(
+            ErrorKind::Forbidden,
+            "This server does not allow room invites.",
+        ));
+    }
     services()
         .rooms
         .event_handler
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 912982c4..60149c7c 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -163,6 +163,9 @@ pub struct Config {
     #[serde(with = "serde_regex")]
     pub forbidden_usernames: RegexSet,
 
+    #[serde(default)]
+    pub block_non_admin_invites: bool,
+
     #[serde(flatten)]
     pub catchall: BTreeMap<String, IgnoredAny>,
 }
@@ -277,6 +280,10 @@ impl fmt::Display for Config {
                 "Allow local presence requests (updates)",
                 &self.allow_local_presence.to_string(),
             ),
+            (
+                "Block non-admin room invites (local and remote) and block all incoming remote invites",
+                &self.block_non_admin_invites.to_string(),
+            ),
             (
                 "Allow device name federation",
                 &self.allow_device_name_federation.to_string(),
diff --git a/src/service/globals/mod.rs b/src/service/globals/mod.rs
index 2e62c79d..e3341314 100644
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@@ -471,6 +471,10 @@ impl Service<'_> {
         &self.config.ip_range_denylist
     }
 
+    pub fn block_non_admin_invites(&self) -> bool {
+        self.config.block_non_admin_invites
+    }
+
     pub fn supported_room_versions(&self) -> Vec<RoomVersionId> {
         let mut room_versions: Vec<RoomVersionId> = vec![];
         room_versions.extend(self.stable_room_versions.clone());