feat(spaces): add role-based join gating for space child rooms

Checks if user has required Space roles before allowing join to a child room. Runs after antispam checks, before the actual join path. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 17:13:25 +01:00 · 2026-03-17 17:13:25 +01:00 · dfa38a1b49
commit dfa38a1b49
parent 83eea18f3e
1 changed files with 16 additions and 0 deletions
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@ -347,6 +347,22 @@ pub async fn join_room_by_id_helper(
 		}
 	}

+	// Space permission cascading: check if user has required roles
+	if services.rooms.roles.is_enabled() {
+		if let Some(parent_space) = services.rooms.roles.get_parent_space(room_id).await {
+			if !services
+				.rooms
+				.roles
+				.user_qualifies_for_room(&parent_space, room_id, sender_user)
+				.await
+			{
+				return Err!(Request(Forbidden(
+					"You do not have the required Space roles to join this room"
+				)));
+			}
+		}
+	}
+
 	if server_in_room {
 		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
 			.boxed()