From 9761e2f10ce853922014dca319103821c81b7e9a Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Thu, 24 Oct 2024 21:38:26 -0400
Subject: [PATCH] fix lockdown_public_room_directory bypass, add appservice
 exclusion

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/client/directory.rs |  5 ++++-
 src/api/client/room.rs      | 30 +++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/api/client/directory.rs b/src/api/client/directory.rs
index 1a3e717d..423f2bde 100644
--- a/src/api/client/directory.rs
+++ b/src/api/client/directory.rs
@@ -137,7 +137,10 @@ pub(crate) async fn set_room_visibility_route(
 
 	match &body.visibility {
 		room::Visibility::Public => {
-			if services.globals.config.lockdown_public_room_directory && !services.users.is_admin(sender_user)? {
+			if services.globals.config.lockdown_public_room_directory
+				&& !services.users.is_admin(sender_user)?
+				&& body.appservice_info.is_none()
+			{
 				info!(
 					"Non-admin user {sender_user} tried to publish {0} to the room directory while \
 					 \"lockdown_public_room_directory\" is enabled",
diff --git a/src/api/client/room.rs b/src/api/client/room.rs
index 609f3b40..0a75787d 100644
--- a/src/api/client/room.rs
+++ b/src/api/client/room.rs
@@ -1,7 +1,7 @@
 use std::{cmp::max, collections::BTreeMap};
 
 use axum::extract::State;
-use conduit::{debug_info, debug_warn, err};
+use conduit::{debug_info, debug_warn, err, Err};
 use ruma::{
 	api::client::{
 		error::ErrorKind,
@@ -64,6 +64,7 @@ const TRANSFERABLE_STATE_EVENTS: &[StateEventType; 9] = &[
 /// - Send events listed in initial state
 /// - Send events implied by `name` and `topic`
 /// - Send invite events
+#[allow(clippy::large_stack_frames)]
 pub(crate) async fn create_room_route(
 	State(services): State<crate::State>, body: Ruma<create_room::v3::Request>,
 ) -> Result<create_room::v3::Response> {
@@ -92,6 +93,28 @@ pub(crate) async fn create_room_route(
 		));
 	}
 
+	if body.visibility == room::Visibility::Public
+		&& services.globals.config.lockdown_public_room_directory
+		&& !services.users.is_admin(sender_user)?
+		&& body.appservice_info.is_none()
+	{
+		info!(
+			"Non-admin user {sender_user} tried to publish {0} to the room directory while \
+			 \"lockdown_public_room_directory\" is enabled",
+			&room_id
+		);
+		services
+			.admin
+			.send_text(&format!(
+				"Non-admin user {sender_user} tried to publish {0} to the room directory while \
+				 \"lockdown_public_room_directory\" is enabled",
+				&room_id
+			))
+			.await;
+
+		return Err!(Request(Forbidden("Publishing rooms to the room directory is not allowed")));
+	}
+
 	let _short_id = services.rooms.short.get_or_create_shortroomid(&room_id)?;
 	let state_lock = services.rooms.state.mutex.lock(&room_id).await;
 
@@ -450,6 +473,11 @@ pub(crate) async fn create_room_route(
 
 	if body.visibility == room::Visibility::Public {
 		services.rooms.directory.set_public(&room_id)?;
+		services
+			.admin
+			.send_text(&format!("{sender_user} made {} public to the room directory", &room_id))
+			.await;
+		info!("{sender_user} made {0} public to the room directory", &room_id);
 	}
 
 	info!("{sender_user} created a room with room ID {room_id}");