diff --git a/src/api/client/membership/join.rs b/src/api/client/membership/join.rs
index cbb82506..f9a5b421 100644
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@@ -347,6 +347,22 @@ pub async fn join_room_by_id_helper(
 		}
 	}
 
+	// Space permission cascading: check if user has required roles
+	if services.rooms.roles.is_enabled() {
+		if let Some(parent_space) = services.rooms.roles.get_parent_space(room_id).await {
+			if !services
+				.rooms
+				.roles
+				.user_qualifies_for_room(&parent_space, room_id, sender_user)
+				.await
+			{
+				return Err!(Request(Forbidden(
+					"You do not have the required Space roles to join this room"
+				)));
+			}
+		}
+	}
+
 	if server_in_room {
 		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
 			.boxed()