From 01b94a98033b661695b76134e25aed477667be54 Mon Sep 17 00:00:00 2001
From: John Terzis <john.c.terzis@gmail.com>
Date: Fri, 21 Oct 2022 17:38:05 -0700
Subject: [PATCH] Jterzis/pull dendrite fork (#712)

Co-authored-by: Tak Wai Wong <64229756+tak-hntlabs@users.noreply.github.com>
Co-authored-by: Tak Wai Wong <tak@hntlabs.com>
Co-authored-by: John Terzis <john@hntlabs.com>
---
 clientapi/routing/routing.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
index afd4cda4d..abaf674ff 100644
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@@ -263,7 +263,7 @@ func Setup(
 			if !isAllowed {
 				return util.JSONResponse{
 					Code: http.StatusUnauthorized,
-					JSON: jsonerror.Forbidden(""),
+					JSON: jsonerror.Forbidden("Unauthorised"),
 				}
 			}
 
@@ -352,6 +352,19 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
 
+			isAllowedInviter, _ := authorization.IsAllowed(authz.AuthorizationArgs{
+				RoomId:     vars["roomID"],
+				UserId:     device.UserID,
+				Permission: authz.PermissionInvite,
+			})
+
+			if !isAllowedInviter {
+				return util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.Forbidden("Inviter not allowed"),
+				}
+			}
+
 			return SendInvite(req, userAPI, device, vars["roomID"], cfg, rsAPI, asAPI)
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)