github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 14:35:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): keep DM pairing allowlists out of group auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 12:58:06 +01:00
parent d08dafb08f
commit 8bdda7a651
15 changed files with 194 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/telegram/bot-handlers.ts
View File

@@ -28,7 +28,7 @@ import { resolveThreadSessionKeys } from "../routing/session-key.js";
import { withTelegramApiErrorLogging } from "./api-logging.js";
import {
isSenderAllowed,
normalizeAllowFromWithStore,
normalizeDmAllowFromWithStore,
type NormalizedAllowFrom,
} from "./bot-access.js";
import type { TelegramMediaRef } from "./bot-message-context.js";
@@ -615,7 +615,7 @@ export const registerTelegramHandlers = ({
return { allowed: false, reason: "direct-disabled" };
}
if (dmPolicy !== "open") {
const effectiveDmAllow = normalizeAllowFromWithStore({
const effectiveDmAllow = normalizeDmAllowFromWithStore({
allowFrom,
storeAllowFrom,
dmPolicy,
@@ -1273,7 +1273,7 @@ export const registerTelegramHandlers = ({
effectiveGroupAllow,
hasGroupAllowOverride,
} = eventAuthContext;
const effectiveDmAllow = normalizeAllowFromWithStore({
const effectiveDmAllow = normalizeDmAllowFromWithStore({
allowFrom,
storeAllowFrom,
dmPolicy,