Skip to content

Telegram native command auth in groups checks DM allowlist instead of groupAllowFrom #30234

Closed
#39267
newtontech/openclaw-fork
#38
Closed
Telegram native command auth in groups checks DM allowlist instead of groupAllowFrom#30234
#39267
newtontech/openclaw-fork
#38
Assignees
vincentkoc
Labels
dedupe:parentPrimary canonical item in dedupe cluster
@baccula

Description

@baccula
baccula
opened on Mar 1, 2026

Bug

Native Telegram slash commands (e.g. /status, /help) in supergroup topics reject authorized senders with "You are not authorized to use this command." even when the sender is in channels.telegram.groupAllowFrom.

Root Cause

In resolveTelegramCommandAuth, the final authorization check uses the DM allowlist (channels.telegram.allowFrom) rather than groupAllowFrom, even when the command originates from a group:

const dmAllow = normalizeDmAllowFromWithStore$1({
    allowFrom,           // <-- DM allowlist, not groupAllowFrom
    storeAllowFrom: isGroup ? [] : storeAllowFrom,
    dmPolicy: telegramCfg.dmPolicy ?? "pairing"
});
const senderAllowed = isSenderAllowed$1({
    allow: dmAllow,
    senderId,
    senderUsername
});
const commandAuthorized = resolveCommandAuthorizedFromAuthorizers({
    useAccessGroups,
    authorizers: [{ configured: dmAllow.hasEntries, allowed: senderAllowed }],
    modeWhenAccessGroupsOff: "configured"
});
if (requireAuth && !commandAuthorized) return await rejectNotAuthorized();

Regular group messages use a different auth path (shouldSkipGroupMessageevaluateTelegramGroupPolicyAccess) that correctly checks groupAllowFrom. So the bug is isolated to native command handling.

Additional Issue

The sendAuthMessage helper in resolveTelegramCommandAuth sends to chatId without thread params, so the rejection message appears in #General instead of the topic where the command was sent.

Config That Triggers This

{
  "channels": {
    "telegram": {
      "groupAllowFrom": [123456789],
      "groupPolicy": "allowlist",
      "groups": {
        "-100xxxxxxxxxx": {
          "allowFrom": [123456789]
        }
      }
      // no top-level "allowFrom" set
    }
  }
}

Expected Behavior

  • Native commands in groups should authorize against groupAllowFrom (and group/topic-level allowFrom), not the DM allowlist.
  • Auth rejection messages in forum topics should include thread params to reply in the correct topic.

Workaround

Add the user ID to channels.telegram.allowFrom (the DM allowlist). This fixes native command auth in groups but shouldn't be required.

Version

openclaw 2026.2.26

Metadata

Metadata

Assignees

Labels

dedupe:parentPrimary canonical item in dedupe cluster

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions