github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 02:23:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): keep DM pairing allowlists out of group auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 12:58:06 +01:00
parent d08dafb08f
commit 8bdda7a651
15 changed files with 194 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/telegram/bot-message-context.ts
View File

@@ -40,7 +40,7 @@ import {
firstDefined,
isSenderAllowed,
normalizeAllowFrom,
normalizeAllowFromWithStore,
normalizeDmAllowFromWithStore,
} from "./bot-access.js";
import {
buildGroupLabel,
@@ -195,7 +195,7 @@ export const buildTelegramMessageContext = async ({
: null;
const sessionKey = threadKeys?.sessionKey ?? baseSessionKey;
const mentionRegexes = buildMentionRegexes(cfg, route.agentId);
const effectiveDmAllow = normalizeAllowFromWithStore({ allowFrom, storeAllowFrom, dmPolicy });
const effectiveDmAllow = normalizeDmAllowFromWithStore({ allowFrom, storeAllowFrom, dmPolicy });
const groupAllowOverride = firstDefined(topicConfig?.allowFrom, groupConfig?.allowFrom);
// Group sender checks are explicit and must not inherit DM pairing-store entries.
const effectiveGroupAllow = normalizeAllowFrom(groupAllowOverride ?? groupAllowFrom);