github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 16:48:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: align pairing scope checks for read access

Browse Source
This commit is contained in:
Shakker
2026-02-20 04:51:36 +00:00
committed by Shakker
parent 86f207adb0
commit 525d6e0671
8 changed files with 256 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/gateway/server/ws-connection/message-handler.ts
View File

@@ -21,6 +21,7 @@ import { upsertPresence } from "../../../infra/system-presence.js";
import { loadVoiceWakeConfig } from "../../../infra/voicewake.js";
import { rawDataToString } from "../../../infra/ws.js";
import type { createSubsystemLogger } from "../../../logging/subsystem.js";
import { roleScopesAllow } from "../../../shared/operator-scope-compat.js";
import { isGatewayCliClient, isWebchatClient } from "../../../utils/message-channel.js";
import { resolveRuntimeServiceVersion } from "../../../version.js";
import {
@@ -743,9 +744,12 @@ export function attachGatewayWsMessageHandler(params: {
return;
}
} else {
const allowedScopes = new Set(pairedScopes);
const missingScope = scopes.find((scope) => !allowedScopes.has(scope));
if (missingScope) {
const scopesAllowed = roleScopesAllow({
role,
requestedScopes: scopes,
allowedScopes: pairedScopes,
});
if (!scopesAllowed) {
logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
const ok = await requirePairing("scope-upgrade");
if (!ok) {