validate creator for federated DMs

sampaiodiego · sampaiodiego · commit 65ca4373d9b5 · 2025-12-08T16:10:24.000-03:00
diff --git a/apps/meteor/app/lib/server/functions/createDirectRoom.ts b/apps/meteor/app/lib/server/functions/createDirectRoom.ts
@@ -155,19 +155,22 @@ export async function createDirectRoom(
 			{ projection: { 'username': 1, 'settings.preferences': 1 } },
 		).toArray();
 
-		const creatorUser = options?.creator ? roomMembers.find((member) => member._id === options?.creator) : undefined;
-
-		// TODO wtf creatorUser can be undefined here?
+		const creatorUser = roomMembers.find((member) => member._id === options?.creator);
+		if (roomExtraData.federated && !creatorUser) {
+			throw new Meteor.Error('error-creator-not-in-room', 'The creator user must be part of the direct room');
+		}
 
 		for await (const member of membersWithPreferences) {
 			const otherMembers = sortedMembers.filter(({ _id }) => _id !== member._id);
 
 			const subscriptionStatus: Partial<ISubscription> =
-				roomExtraData.federated && options?.creator !== member._id
+				roomExtraData.federated && options.creator !== member._id && creatorUser
 					? {
 							status: 'INVITED',
 							inviter: {
-								_id: creatorUser?._id,
+								_id: creatorUser._id,
+								username: creatorUser.username,
+								name: creatorUser.name,
 							},
 							open: true,
 							unread: 1,
diff --git a/apps/meteor/app/lib/server/functions/createRoom.ts b/apps/meteor/app/lib/server/functions/createRoom.ts
@@ -7,7 +7,6 @@ import { isRoomNativeFederated } from '@rocket.chat/core-typings';
 import { Rooms, Subscriptions, Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
-import { performAddUserToRoom } from './addUserToRoom';
 import { createDirectRoom } from './createDirectRoom';
 import { callbacks } from '../../../../lib/callbacks';
 import { beforeAddUserToRoom } from '../../../../lib/callbacks/beforeAddUserToRoom';
@@ -203,7 +202,7 @@ export const createRoom = async <T extends RoomType>(
 	}
 
 	if (type === 'd') {
-		return createDirectRoom(members as IUser[], extraData, { ...options, creator: options?.creator || owner?.username });
+		return createDirectRoom(members as IUser[], extraData, { ...options, creator: options?.creator || owner?._id });
 	}
 
 	if (!onlyUsernames(members)) {

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,6 @@ import { isRoomNativeFederated } from '@rocket.chat/core-typings';`
`7`	`7`	`import { Rooms, Subscriptions, Users } from '@rocket.chat/models';`
`8`	`8`	`import { Meteor } from 'meteor/meteor';`
`9`	`9`
`10`		`-import { performAddUserToRoom } from './addUserToRoom';`
`11`	`10`	`import { createDirectRoom } from './createDirectRoom';`
`12`	`11`	`import { callbacks } from '../../../../lib/callbacks';`
`13`	`12`	`import { beforeAddUserToRoom } from '../../../../lib/callbacks/beforeAddUserToRoom';`
`@@ -203,7 +202,7 @@ export const createRoom = async <T extends RoomType>(`
`203`	`202`	`}`
`204`	`203`
`205`	`204`	`if (type === 'd') {`
`206`		`- return createDirectRoom(members as IUser[], extraData, { ...options, creator: options?.creator \|\| owner?.username });`
	`205`	`+ return createDirectRoom(members as IUser[], extraData, { ...options, creator: options?.creator \|\| owner?._id });`
`207`	`206`	`}`
`208`	`207`
`209`	`208`	`if (!onlyUsernames(members)) {`