check for federated users being added on non-federated rooms

ricardogarim · ricardogarim · commit 3c9f75e01fdf · 2025-10-08T11:41:03.000-03:00
diff --git a/apps/meteor/app/lib/server/methods/addUsersToRoom.ts b/apps/meteor/app/lib/server/methods/addUsersToRoom.ts
@@ -1,5 +1,6 @@
 import { api } from '@rocket.chat/core-services';
 import type { IUser } from '@rocket.chat/core-typings';
+import { isRoomNativeFederated, isUserNativeFederated } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { Subscriptions, Users, Rooms } from '@rocket.chat/models';
 import { Match } from 'meteor/check';
@@ -17,10 +18,6 @@ declare module '@rocket.chat/ddp-client' {
 	}
 }
 
-const isAFederatedUsername = (username: string) => {
-	return username.includes('@') && username.includes(':');
-};
-
 export const addUsersToRoomMethod = async (userId: string, data: { rid: string; users: string[] }, user?: IUser): Promise<boolean> => {
 	if (!userId) {
 		throw new Meteor.Error('error-invalid-user', 'Invalid user', {
@@ -83,7 +80,20 @@ export const addUsersToRoomMethod = async (userId: string, data: { rid: string;
 	await Promise.all(
 		data.users.map(async (username) => {
 			const newUser = await Users.findOneByUsernameIgnoringCase(username);
-			if (!newUser && !isAFederatedUsername(username)) {
+
+			if (!newUser) {
+				throw new Meteor.Error('error-user-not-found', 'User not found', {
+					method: 'addUsersToRoom',
+				});
+			}
+
+			if (isUserNativeFederated(newUser) && !isRoomNativeFederated(room)) {
+				throw new Meteor.Error('error-federated-users-in-non-federated-rooms', 'Cannot add federated users to non-federated rooms', {
+					method: 'addUsersToRoom',
+				});
+			}
+
+			if (!newUser && !isUserNativeFederated(newUser)) {
 				throw new Meteor.Error('error-invalid-username', 'Invalid username', {
 					method: 'addUsersToRoom',
 				});
diff --git a/apps/meteor/app/slashcommands-invite/server/server.ts b/apps/meteor/app/slashcommands-invite/server/server.ts
@@ -8,6 +8,10 @@ import { addUsersToRoomMethod } from '../../lib/server/methods/addUsersToRoom';
 import { settings } from '../../settings/server';
 import { slashCommands } from '../../utils/server/slashCommand';
 
+const isFederatedUsername = (username: string) => {
+	return username.includes('@') && username.includes(':');
+};
+
 /*
  * Invite is a named function that will replace /invite commands
  * @param {Object} message - The message object
@@ -17,16 +21,12 @@ slashCommands.add({
 	callback: async ({ params, message, userId }: SlashCommandCallbackParams<'invite'>): Promise<void> => {
 		const usernames = params
 			.split(/[\s,]/)
-			.map((username) => username.replace(/(^@)|( @)/, ''))
+			.map((username) => (isFederatedUsername(username) ? username : username.replace(/(^@)|( @)/, '')))
 			.filter((a) => a !== '');
 		if (usernames.length === 0) {
 			return;
 		}
-		const users = await Users.find({
-			username: {
-				$in: usernames,
-			},
-		}).toArray();
+		const users = await Users.findByUsernames(usernames).toArray();
 		if (users.length === 0) {
 			void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
 				msg: i18n.t('User_doesnt_exist', {
@@ -81,7 +81,12 @@ slashCommands.add({
 					if (typeof error !== 'string') {
 						return;
 					}
-					if (error === 'cant-invite-for-direct-room') {
+
+					if (error === 'error-federated-users-in-non-federated-rooms') {
+						void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+							msg: i18n.t('You_cannot_add_external_users_to_non_federated_room', { lng: settings.get('Language') || 'en' }),
+						});
+					} else if (error === 'cant-invite-for-direct-room') {
 						void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
 							msg: i18n.t('Cannot_invite_users_to_direct_rooms', { lng: settings.get('Language') || 'en' }),
 						});
