refactor(discord): share component allowlist check

2026-05-09 11:57:39 +00:00 · 2026-02-15 17:17:03 +00:00
parent b2c42697dd
commit ac3db098ab
1 changed files with 45 additions and 23 deletions
--- a/src/discord/monitor/agent-components.ts
+++ b/src/discord/monitor/agent-components.ts
@@ -205,6 +205,40 @@ async function ensureGuildComponentMemberAllowed(params: {
  return false;
 }
 async function ensureAgentComponentInteractionAllowed(params: {
  ctx: AgentComponentContext;
  interaction: AgentComponentInteraction;
  channelId: string;
  rawGuildId: string | undefined;
  memberRoleIds: string[];
  user: DiscordUser;
  replyOpts: { ephemeral?: boolean };
  componentLabel: string;
  unauthorizedReply: string;
 }): Promise<{ parentId: string | undefined } | null> {
  const guildInfo = resolveDiscordGuildEntry({
    guild: params.interaction.guild ?? undefined,
    guildEntries: params.ctx.guildEntries,
  });
  const channelCtx = resolveDiscordChannelContext(params.interaction);
  const memberAllowed = await ensureGuildComponentMemberAllowed({
    interaction: params.interaction,
    guildInfo,
    channelId: params.channelId,
    rawGuildId: params.rawGuildId,
    channelCtx,
    memberRoleIds: params.memberRoleIds,
    user: params.user,
    replyOpts: params.replyOpts,
    componentLabel: params.componentLabel,
    unauthorizedReply: params.unauthorizedReply,
  });
  if (!memberAllowed) {
    return null;
  }
  return { parentId: channelCtx.parentId };
 }
 export type AgentComponentContext = {
  cfg: OpenClawConfig;
  accountId: string;
@@ -430,29 +464,23 @@ export class AgentComponentButton extends Button {
      memberRoleIds,
    } = interactionCtx;
-    // P2 FIX: Check user allowlist before processing component interaction
+    // Check user allowlist before processing component interaction
-    // This prevents unauthorized users from injecting system events
+    // This prevents unauthorized users from injecting system events.
-    const guildInfo = resolveDiscordGuildEntry({
+    const allowed = await ensureAgentComponentInteractionAllowed({
-      guild: interaction.guild ?? undefined,
+      ctx: this.ctx,
      guildEntries: this.ctx.guildEntries,
    });
    const channelCtx = resolveDiscordChannelContext(interaction);
    const { parentId } = channelCtx;
    const memberAllowed = await ensureGuildComponentMemberAllowed({
      interaction,
      guildInfo,
      channelId,
      rawGuildId,
      channelCtx,
      memberRoleIds,
      user,
      replyOpts,
      componentLabel: "button",
      unauthorizedReply: "You are not authorized to use this button.",
    });
-    if (!memberAllowed) {
+    if (!allowed) {
      return;
    }
    const { parentId } = allowed;
    // Resolve route with full context (guildId, proper peer kind, parentPeer)
    const route = resolveAgentRoute({
@@ -537,28 +565,22 @@ export class AgentSelectMenu extends StringSelectMenu {
      memberRoleIds,
    } = interactionCtx;
-    // Check user allowlist before processing component interaction
+    // Check user allowlist before processing component interaction.
-    const guildInfo = resolveDiscordGuildEntry({
+    const allowed = await ensureAgentComponentInteractionAllowed({
-      guild: interaction.guild ?? undefined,
+      ctx: this.ctx,
      guildEntries: this.ctx.guildEntries,
    });
    const channelCtx = resolveDiscordChannelContext(interaction);
    const { parentId } = channelCtx;
    const memberAllowed = await ensureGuildComponentMemberAllowed({
      interaction,
      guildInfo,
      channelId,
      rawGuildId,
      channelCtx,
      memberRoleIds,
      user,
      replyOpts,
      componentLabel: "select",
      unauthorizedReply: "You are not authorized to use this select menu.",
    });
-    if (!memberAllowed) {
+    if (!allowed) {
      return;
    }
    const { parentId } = allowed;
    // Extract selected values
    const values = interaction.values ?? [];