Users with insufficient power can issue broken 3PID invites to a room

[matrixbot]

Created by @ matthew:matrix.org.

An invite mail gets generated apparently, but the user then gets an error on trying to set the m.room.third_party_invite state event if they don't have enough permission. So the invite is broken

[dbkr]

I'm about to mitigate this bug by preventing vector from trying to 3pid invite if the user is a guest (as part of #1101 ) but presumably this is a bug in synapse that should be fixed too.

[ara4n]

this isn't just if the user's a guest, though, but if they lack power to set state events in general

[richvdh]

What is the correct behaviour?

1. special-case m.room.third_party_invite and allow users to add new ones if they have permission to send invites in general
2. don't send the invite email (and reject the invite request) if the user's power level doesn't include the right to set m.room.third_party_invite state. As that currently stands, in practice it would mean that they need to be an admin, as allowing people to send such events also allows them to modify invites that other people have sent.
3. we could add a new permission level specifically for sending 3pid invites, which would allow the sending of new m.room.third_party_invites but not the modification of others.

My preference is probably 1, but once we tweak the permission model like that, there's no going back. @ara4n, @erikjohnston ?

[ara4n]

my preference is also 1. @erikjohnston?

[erikjohnston]

I guess the first is the only realistic option.

[ara4n]

PR hopefully specialcases appropriately. Shifting over to the PR to track progress.