From 3981e77ec6670187fab7aa31017c50f313aa3de6 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Sun, 26 May 2024 15:29:49 -0400
Subject: [PATCH] check user ID server against ACLs for /make_join

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/server_server.rs | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 47b8f4ded..07a848bbb 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -880,7 +880,20 @@ pub(crate) async fn create_join_event_template_route(
 	services()
 		.rooms
 		.event_handler
-		.acl_check(sender_servername, &body.room_id)?;
+		.acl_check(origin, &body.room_id)?;
+
+	// ACL check invited user server name
+	services()
+		.rooms
+		.event_handler
+		.acl_check(body.user_id.server_name(), &body.room_id)?;
+
+	if body.user_id.server_name() != origin {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Not allowed to join on behalf of another server/user",
+		));
+	}
 
 	if services()
 		.globals
-- 
GitLab