From dfa38a1b49527bde8f7289f70bb5f1bfba98b0bb Mon Sep 17 00:00:00 2001
From: ember33 <embergayshark@pm.me>
Date: Tue, 17 Mar 2026 17:13:25 +0100
Subject: [PATCH] feat(spaces): add role-based join gating for space child
 rooms

Checks if user has required Space roles before allowing join to a
child room. Runs after antispam checks, before the actual join path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/api/client/membership/join.rs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/api/client/membership/join.rs b/src/api/client/membership/join.rs
index cbb82506..f9a5b421 100644
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@@ -347,6 +347,22 @@ pub async fn join_room_by_id_helper(
 		}
 	}
 
+	// Space permission cascading: check if user has required roles
+	if services.rooms.roles.is_enabled() {
+		if let Some(parent_space) = services.rooms.roles.get_parent_space(room_id).await {
+			if !services
+				.rooms
+				.roles
+				.user_qualifies_for_room(&parent_space, room_id, sender_user)
+				.await
+			{
+				return Err!(Request(Forbidden(
+					"You do not have the required Space roles to join this room"
+				)));
+			}
+		}
+	}
+
 	if server_in_room {
 		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
 			.boxed()