Invite policy based on power level

corporal/httpgateway/policycheck/room.go

@@ -14,6 +14,7 @@ import (
 // CheckRoomCreate is a policy checker for: /_matrix/client/r0/createRoom
 func CheckRoomCreate(r *http.Request, ctx context.Context, policy policy.Policy, checker policy.Checker) PolicyCheckResponse {
 	userId := ctx.Value("userId").(string)
+	members := ctx.Value("invite").([]string)
 
 	if !checker.CanUserCreateRoom(policy, userId) {
 		return PolicyCheckResponse{
@@ -23,6 +24,17 @@ func CheckRoomCreate(r *http.Request, ctx context.Context, policy policy.Policy,
 		}
 	}
 
+	// Check if powerlevel of invited members are same or less than the user powerlevel
+	for _, memberId := range members {
+		if !checker.CanSendInvite(policy, userId, memberId) {
+			return PolicyCheckResponse{
+				Allow:        false,
+				ErrorCode:    matrix.ErrorForbidden,
+				ErrorMessage: "Denied by policy",
+			}
+		}
+	}
+
 	return PolicyCheckResponse{
 		Allow: true,
 	}

corporal/policy/checker.go

@@ -65,3 +65,19 @@ func (me *Checker) CanUserUseCustomDisplayName(policy Policy, userId string) boo
 func (me *Checker) CanUserUseCustomAvatar(policy Policy, userId string) bool {
 	return policy.Flags.AllowCustomUserAvatars
 }
+
+//Compares the power level of sender and invited members. Allows invite only within their power level and below.
+
+func (me *Checker) CanSendInvite(policy, userId, memberId)  bool {
+	memberPolicy := policy.GetUserPolicyByUserId(memberId)	
+	userPolicy := policy.GetUserPolicyByUserId(userId)	
+	if memberPolicy == nil {
+		return true
+	}
+
+	if userPolicy == nil {
+		return false
+	}
+
+	return memberPolicy.PowerLevel <= userPolicy.PowerLevel
+}

corporal/policy/policy.go

@@ -58,4 +58,8 @@ type UserPolicy struct {
 
 	// Tells whether this user is forbidden from creating rooms.
 	ForbidRoomCreation *bool `json:"forbidRoomCreation"`
+
+	//PowerLevel.
+	PowerLevel int `json:"powerLevel"`
+
 }