From 1013fe5a42df8cea647d1132a5e8b934eae20537 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Sun, 26 May 2024 18:57:08 -0400
Subject: [PATCH] check for membership join state at /send_join

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/server_server.rs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 9b3de6697..6c80ce937 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1191,6 +1191,28 @@ async fn create_join_event(
 		));
 	}
 
+	let content = value
+		.get("content")
+		.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Join event does not a content key"))?
+		.as_object()
+		.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Join event content is empty or invalid"))?;
+
+	let membership: MembershipState = serde_json::from_value(
+		content
+			.get("membership")
+			.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Join event content does not have a membership"))?
+			.clone()
+			.into(),
+	)
+	.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "Join event has an invalid membership"))?;
+
+	if membership != MembershipState::Join {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Not allowed to send a non-join event at a join endpoint",
+		));
+	}
+
 	// ACL check sender server name
 	let sender: OwnedUserId = serde_json::from_value(
 		value
-- 
GitLab