github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: fail closed missing provider group policy across message channels (#23367) (thanks @bmendonca3)

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 12:17:44 +01:00
parent 78c3c2a542
commit 777817392d
45 changed files with 420 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/web/inbound/access-control.ts
View File

@@ -1,4 +1,5 @@
import { loadConfig } from "../../config/config.js";
import { resolveRuntimeGroupPolicy } from "../../config/runtime-group-policy.js";
import { logVerbose } from "../../globals.js";
import { buildPairingReply } from "../../pairing/pairing-messages.js";
import {
@@ -17,6 +18,23 @@ export type InboundAccessControlResult = {
const PAIRING_REPLY_HISTORY_GRACE_MS = 30_000;
function resolveWhatsAppRuntimeGroupPolicy(params: {
providerConfigPresent: boolean;
groupPolicy?: "open" | "allowlist" | "disabled";
defaultGroupPolicy?: "open" | "allowlist" | "disabled";
}): {
groupPolicy: "open" | "allowlist" | "disabled";
providerMissingFallbackApplied: boolean;
} {
return resolveRuntimeGroupPolicy({
providerConfigPresent: params.providerConfigPresent,
groupPolicy: params.groupPolicy,
defaultGroupPolicy: params.defaultGroupPolicy,
configuredFallbackPolicy: "open",
missingProviderFallbackPolicy: "allowlist",
});
}
export async function checkInboundAccessControl(params: {
accountId: string;
from: string;
@@ -82,7 +100,16 @@ export async function checkInboundAccessControl(params: {
// - "disabled": block all group messages entirely
// - "allowlist": only allow group messages from senders in groupAllowFrom/allowFrom
const defaultGroupPolicy = cfg.channels?.defaults?.groupPolicy;
const groupPolicy = account.groupPolicy ?? defaultGroupPolicy ?? "open";
const { groupPolicy, providerMissingFallbackApplied } = resolveWhatsAppRuntimeGroupPolicy({
providerConfigPresent: cfg.channels?.whatsapp !== undefined,
groupPolicy: account.groupPolicy,
defaultGroupPolicy,
});
if (providerMissingFallbackApplied) {
logVerbose(
'whatsapp: channels.whatsapp is missing; defaulting groupPolicy to "allowlist" (group messages blocked until explicitly configured).',
);
}
if (params.group && groupPolicy === "disabled") {
logVerbose("Blocked group message (groupPolicy: disabled)");
return {
@@ -191,3 +218,7 @@ export async function checkInboundAccessControl(params: {
resolvedAccountId: account.accountId,
};
}
export const __testing = {
resolveWhatsAppRuntimeGroupPolicy,
};