From 688cd8f46a69bbc7b31e1668df5f7ca4e751eb82 Mon Sep 17 00:00:00 2001
From: timedout <git@nexy7574.co.uk>
Date: Sun, 5 Apr 2026 22:18:05 +0100
Subject: [PATCH] fix: Forbid creating events sent by remote users

---
 src/service/rooms/timeline/create.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/service/rooms/timeline/create.rs b/src/service/rooms/timeline/create.rs
index 40e41b084..b884bc970 100644
--- a/src/service/rooms/timeline/create.rs
+++ b/src/service/rooms/timeline/create.rs
@@ -81,6 +81,11 @@ fn from_evt(
 			))
 		}
 	}
+
+	if !self.services.globals.user_is_local(sender) {
+		return Err!(Request(Forbidden("Sender must be a local user")));
+	}
+
 	let PduBuilder {
 		event_type,
 		content,