From dc614e11d65780eaea173d55778630d817821777 Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Mon, 27 May 2024 05:40:07 +0000
Subject: [PATCH] check invite target is our server.

Signed-off-by: Jason Volk <jason@zemos.net>
---
 src/api/server_server.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index e7d43445..e55fa6ca 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1759,7 +1759,14 @@ pub(crate) async fn create_invite_route(body: Ruma<create_invite::v2::Request>)
 	)
 	.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "state_key is not a user id."))?;
 
-	// ACL check the invited user's server
+	if !server_is_ours(invited_user.server_name()) {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"User does not belong to this homeserver.",
+		));
+	}
+
+	// Make sure we're not ACL'ed from their room.
 	services()
 		.rooms
 		.event_handler