From a45c76c4917edffd923fcf33d598ab2ad1b94422 Mon Sep 17 00:00:00 2001
From: Kegan Dougal <kegan@matrix.org>
Date: Wed, 24 Jun 2020 17:40:04 +0100
Subject: [PATCH] Only check invite auth events for local invites

---
 roomserver/internal/perform_invite.go | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/roomserver/internal/perform_invite.go b/roomserver/internal/perform_invite.go
index f890a38e7..4600bec0b 100644
--- a/roomserver/internal/perform_invite.go
+++ b/roomserver/internal/perform_invite.go
@@ -137,19 +137,22 @@ func (r *RoomserverInternalAPI) processInviteEvent(
 
 	event := input.Event.Unwrap()
 
-	// check that the user is allowed to do this
-	_, err = checkAuthEvents(ctx, r.DB, input.Event, input.Event.AuthEventIDs())
-	if err != nil {
-		log.WithError(err).WithField("event_id", event.EventID()).WithField("auth_event_ids", event.AuthEventIDs()).Error(
-			"processInviteEvent.checkAuthEvents failed for event",
-		)
-		if _, ok := err.(*gomatrixserverlib.NotAllowed); ok {
-			return nil, &api.PerformError{
-				Msg:  err.Error(),
-				Code: api.PerformErrorNotAllowed,
+	// check that the user is allowed to do this. We can only do this check if it is
+	// a local invite as we have the auth events, else we have to take it on trust.
+	if loopback != nil {
+		_, err = checkAuthEvents(ctx, r.DB, input.Event, input.Event.AuthEventIDs())
+		if err != nil {
+			log.WithError(err).WithField("event_id", event.EventID()).WithField("auth_event_ids", event.AuthEventIDs()).Error(
+				"processInviteEvent.checkAuthEvents failed for event",
+			)
+			if _, ok := err.(*gomatrixserverlib.NotAllowed); ok {
+				return nil, &api.PerformError{
+					Msg:  err.Error(),
+					Code: api.PerformErrorNotAllowed,
+				}
 			}
+			return nil, err
 		}
-		return nil, err
 	}
 
 	if len(input.InviteRoomState) > 0 {