test: ensure accept/reject actions can only be performed by the invited user

ricardogarim · ricardogarim · commit 3a17d3575322 · 2025-12-03T17:47:08.000-03:00
diff --git a/apps/meteor/tests/data/rooms.helper.ts b/apps/meteor/tests/data/rooms.helper.ts
@@ -440,7 +440,7 @@ export const acceptRoomInvite = (roomId: IRoom['_id'], config?: IRequestConfig)
 	const requestInstance = config?.request || request;
 	const credentialsInstance = config?.credentials || credentials;
 
-	return new Promise<{ success: boolean }>((resolve) => {
+	return new Promise<{ success: boolean; error?: string }>((resolve) => {
 		void requestInstance
 			.post(api('rooms.invite'))
 			.set(credentialsInstance)
@@ -453,3 +453,32 @@ export const acceptRoomInvite = (roomId: IRoom['_id'], config?: IRequestConfig)
 			});
 	});
 };
+
+/**
+ * Rejects a room invite for the authenticated user.
+ *
+ * Processes a room invitation by rejecting it, which prevents the user
+ * from joining the room and removes them from the invited members list.
+ * This is essential for federated room workflows where users can decline invitations.
+ *
+ * @param roomId - The unique identifier of the room
+ * @param config - Optional request configuration for custom domains
+ * @returns Promise resolving to the rejection response
+ */
+export const rejectRoomInvite = (roomId: IRoom['_id'], config?: IRequestConfig) => {
+	const requestInstance = config?.request || request;
+	const credentialsInstance = config?.credentials || credentials;
+
+	return new Promise<{ success: boolean; error?: string }>((resolve) => {
+		void requestInstance
+			.post(api('rooms.invite'))
+			.set(credentialsInstance)
+			.send({
+				roomId,
+				action: 'reject',
+			})
+			.end((_err: any, req: any) => {
+				resolve(req.body);
+			});
+	});
+};
diff --git a/ee/packages/federation-matrix/src/FederationMatrix.ts b/ee/packages/federation-matrix/src/FederationMatrix.ts
@@ -896,7 +896,7 @@ export class FederationMatrix extends ServiceClass implements IFederationMatrixS
 	async handleInvite(roomId: IRoom['_id'], userId: IUser['_id'], action: 'accept' | 'reject'): Promise<void> {
 		const subscription = await Subscriptions.findInvitedSubscription(roomId, userId);
 		if (!subscription) {
-			throw new Error('User does not have a pending invite for this room');
+			throw new Error('No subscription found or user does not have permission to accept or reject this invite');
 		}
 
 		const room = await Rooms.findOneById(roomId);
diff --git a/ee/packages/federation-matrix/tests/end-to-end/room.spec.ts b/ee/packages/federation-matrix/tests/end-to-end/room.spec.ts
@@ -8,6 +8,7 @@ import {
 	addUserToRoom,
 	addUserToRoomSlashCommand,
 	acceptRoomInvite,
+	rejectRoomInvite,
 } from '../../../../../apps/meteor/tests/data/rooms.helper';
 import { type IRequestConfig, getRequestConfig, createUser, deleteUser } from '../../../../../apps/meteor/tests/data/users.helper';
 import { IS_EE } from '../../../../../apps/meteor/tests/e2e/config/constants';
@@ -1532,5 +1533,46 @@ import { SynapseClient } from '../helper/synapse-client';
 				});
 			});
 		});
+
+		describe('Accept/Reject invitation permissions', () => {
+			describe('User tries to accept another user invitation', () => {
+				let channelName: string;
+				let federatedChannel: any;
+
+				beforeAll(async () => {
+					channelName = `federated-channel-accept-permission-${Date.now()}`;
+					const createResponse = await createRoom({
+						type: 'p',
+						name: channelName,
+						members: [federationConfig.rc1.additionalUser1.username],
+						extraData: {
+							federated: true,
+						},
+						config: rc1AdminRequestConfig,
+					});
+
+					federatedChannel = createResponse.body.group;
+
+					expect(federatedChannel).toHaveProperty('_id');
+					expect(federatedChannel).toHaveProperty('name', channelName);
+					expect(federatedChannel).toHaveProperty('t', 'p');
+					expect(federatedChannel).toHaveProperty('federated', true);
+				}, 10000);
+
+				it('It should not allow admin to accept invitation on behalf of another user', async () => {
+					// RC view: Admin tries to accept rc1User1's invitation
+					const response = await acceptRoomInvite(federatedChannel._id, rc1AdminRequestConfig);
+					expect(response.success).toBe(false);
+					expect(response.error).toBe('Failed to handle invite: No subscription found or user does not have permission to accept or reject this invite');
+				});
+
+				it('It should not allow admin to reject invitation on behalf of another user', async () => {
+					// RC view: Admin tries to reject rc1User1's invitation
+					const response = await rejectRoomInvite(federatedChannel._id, rc1AdminRequestConfig);
+					expect(response.success).toBe(false);
+					expect(response.error).toBe('Failed to handle invite: No subscription found or user does not have permission to accept or reject this invite');
+				});
+			});
+		});
 	});
 });

Original file line number	Diff line number	Diff line change
`@@ -896,7 +896,7 @@ export class FederationMatrix extends ServiceClass implements IFederationMatrixS`
`896`	`896`	`async handleInvite(roomId: IRoom['_id'], userId: IUser['_id'], action: 'accept' \| 'reject'): Promise<void> {`
`897`	`897`	`const subscription = await Subscriptions.findInvitedSubscription(roomId, userId);`
`898`	`898`	`if (!subscription) {`
`899`		`- throw new Error('User does not have a pending invite for this room');`
	`899`	`+ throw new Error('No subscription found or user does not have permission to accept or reject this invite');`
`900`	`900`	`}`
`901`	`901`
`902`	`902`	`const room = await Rooms.findOneById(roomId);`