fix(telegram): check chat allowlist before sender allowlist in group policy

When groupPolicy is "allowlist", the sender allowlist empty-entries guard ran before the chat-level allowlist check. This caused groups that were explicitly configured in the groups config to be silently rejected when no allowFrom / groupAllowFrom entries existed. Move the checkChatAllowlist block before the sender allowlist guard and introduce a chatExplicitlyAllowed flag that distinguishes a dedicated group entry (groupConfig is set) from a wildcard-only match. When the chat is explicitly allowed and no sender entries exist, skip the sender check entirely — the group ID itself acts as the authorization. Fixes #30613.
2026-05-07 19:01:25 +00:00 · 2026-03-01 09:59:54 -05:00
parent 60f8e832e0
commit 8247c25a32
2 changed files with 297 additions and 7 deletions
--- a/src/telegram/group-access.ts
+++ b/src/telegram/group-access.ts
@@ -130,14 +130,40 @@ export const evaluateTelegramGroupPolicyAccess = (params: {
  if (groupPolicy === "disabled") {
    return { allowed: false, reason: "group-policy-disabled", groupPolicy };
  }
+  // Check chat-level allowlist first so that groups explicitly listed in the
+  // `groups` config are not blocked by the sender-level "empty allowlist" guard.
+  let chatExplicitlyAllowed = false;
+  if (params.checkChatAllowlist) {
+    const groupAllowlist = params.resolveGroupPolicy(params.chatId);
+    if (groupAllowlist.allowlistEnabled && !groupAllowlist.allowed) {
+      return { allowed: false, reason: "group-chat-not-allowed", groupPolicy };
+    }
+    // The chat is explicitly allowed when it has a dedicated entry in the groups
+    // config (groupConfig is set).  A wildcard ("*") match alone does not count
+    // because it only enables the group — sender-level filtering still applies.
+    if (groupAllowlist.allowlistEnabled && groupAllowlist.allowed && groupAllowlist.groupConfig) {
+      chatExplicitlyAllowed = true;
+    }
+  }
  if (groupPolicy === "allowlist" && params.enforceAllowlistAuthorization) {
    const senderId = params.senderId ?? "";
    if (params.requireSenderForAllowlistAuthorization && !senderId) {
      return { allowed: false, reason: "group-policy-allowlist-no-sender", groupPolicy };
    }
-    if (!params.allowEmptyAllowlistEntries && !params.effectiveGroupAllow.hasEntries) {
+    // Skip the "empty allowlist" guard when the chat itself is explicitly
+    // listed in the groups config — the group ID acts as the allowlist entry.
+    if (
+      !chatExplicitlyAllowed &&
+      !params.allowEmptyAllowlistEntries &&
+      !params.effectiveGroupAllow.hasEntries
+    ) {
      return { allowed: false, reason: "group-policy-allowlist-empty", groupPolicy };
    }
+    // When the chat is explicitly allowed and there are no sender-level entries,
+    // skip the sender check — the group ID itself is the authorization.
+    if (chatExplicitlyAllowed && !params.effectiveGroupAllow.hasEntries) {
+      return { allowed: true, groupPolicy };
+    }
    const senderUsername = params.senderUsername ?? "";
    if (
      !isSenderAllowed({
@@ -149,11 +175,5 @@ export const evaluateTelegramGroupPolicyAccess = (params: {
      return { allowed: false, reason: "group-policy-allowlist-unauthorized", groupPolicy };
    }
  }
-  if (params.checkChatAllowlist) {
-    const groupAllowlist = params.resolveGroupPolicy(params.chatId);
-    if (groupAllowlist.allowlistEnabled && !groupAllowlist.allowed) {
-      return { allowed: false, reason: "group-chat-not-allowed", groupPolicy };
-    }
-  }
  return { allowed: true, groupPolicy };
 };