From 36039c2efce2627e76adbe208266344dfdbc4e16 Mon Sep 17 00:00:00 2001
From: John Terzis <john@hntlabs.com>
Date: Fri, 21 Oct 2022 16:57:20 -0700
Subject: [PATCH] HNT-105 invite authz

---
 clientapi/routing/routing.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
index 5cea1c54d..14c164c48 100644
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@@ -353,6 +353,19 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
 
+			isAllowedInviter, _ := authorization.IsAllowed(authz.AuthorizationArgs{
+				RoomId:     vars["roomID"],
+				UserId:     device.UserID,
+				Permission: authz.PermissionInvite,
+			})
+
+			if !isAllowedInviter {
+				return util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.Forbidden("Inviter not allowed"),
+				}
+			}
+
 			return SendInvite(req, userAPI, device, vars["roomID"], cfg, rsAPI, asAPI)
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)