matrix-org · clokep · Apr 14, 2021 · Apr 5, 2021 · Apr 5, 2021 · Apr 7, 2021
@@ -0,0 +1 @@
+Add experimental support for [MSC3083](https://github.com/matrix-org/matrix-doc/pull/3083): restricting room access via group membership.
@@ -1667,16 +1667,52 @@ async def on_send_join_request(self, origin: str, pdu: EventBase) -> JsonDict:
         # would introduce the danger of backwards-compatibility problems.
         event.internal_metadata.send_on_behalf_of = origin
 
-        context = await self._handle_new_event(origin, event)
+        # Calculate the event context.
+        context = await self._prep_event(
+            origin, event, state=None, auth_events=None, backfilled=False
+        )
+
+        # Get the state before the new event.
+        prev_state_ids = await context.get_prev_state_ids()
+
+        # Check if the user is already in the room or invited to the room.
+        user_id = event.state_key
+        prev_member_event_id = prev_state_ids.get((EventTypes.Member, user_id), None)
+        newly_joined = True
+        is_invite = False
+        if prev_member_event_id:
+            prev_member_event = await self.store.get_event(prev_member_event_id)
+            newly_joined = prev_member_event.membership != Membership.JOIN
+            is_invite = prev_member_event.membership == Membership.INVITE
+
+        # We retrieve the room member handler here as to not cause a cyclic dependency
+        member_handler = self.hs.get_room_member_handler()
+
+        # If the member is not already in the room, and not invited, check if
+        # they should be allowed access via membership in a space.
+        if (
+            newly_joined
+            and not is_invite
+            and not await member_handler.can_join_without_invite(
+                prev_state_ids,
+                event.room_version,
+                user_id,
+            )
+        ):
+            raise SynapseError(
+                400,
+                "You do not belong to any of the required spaces to join this room.",
+            )
+
+        # Persist the event.
+        await self._handle_new_event(origin, event, context)
 
         logger.debug(
             "on_send_join_request: After _handle_new_event: %s, sigs: %s",
             event.event_id,
             event.signatures,
         )
 
-        prev_state_ids = await context.get_prev_state_ids()
-
         state_ids = list(prev_state_ids.values())
         auth_chain = await self.store.get_auth_chain(event.room_id, state_ids)
 
@@ -1994,13 +2030,36 @@ async def _handle_new_event(
         self,
         origin: str,
         event: EventBase,
+        context: Optional[EventContext] = None,
         state: Optional[Iterable[EventBase]] = None,
         auth_events: Optional[MutableStateMap[EventBase]] = None,
         backfilled: bool = False,
     ) -> EventContext:
-        context = await self._prep_event(
-            origin, event, state=state, auth_events=auth_events, backfilled=backfilled
-        )
+        """
+        Process an event.
+
+        Args:
+            origin: The host the event originates from.
+            event: The event itself.
+            context: The event context, if available. Otherwise this is calculated
+                from state and auth_events.
+            state: The state events to calculate the event context from. This is
+                ignored if context is provided.
+            auth_events: The auth events to calculate the event context from. This is
+                ignored if context is provided.
+            backfilled: True if the event was backfilled.
+
+        Returns:
+             The event context.
+        """
+        if not context:
+            context = await self._prep_event(
+                origin,
+                event,
+                state=state,
+                auth_events=auth_events,
+                backfilled=backfilled,
+            )
 
         try:
             if (

@@ -179,7 +179,7 @@ async def ratelimit_invite(
 
         await self._invites_per_user_limiter.ratelimit(requester, invitee_user_id)
 
-    async def _can_join_without_invite(
+    async def can_join_without_invite(
         self, state_ids: StateMap[str], room_version: RoomVersion, user_id: str
     ) -> bool:
         """
@@ -303,7 +303,7 @@ async def _local_membership_update(
             if (
                 newly_joined
                 and not user_is_invited
-                and not await self._can_join_without_invite(
+                and not await self.can_join_without_invite(
                     prev_state_ids, event.room_version, user_id
                 )
             ):