feat(feishu): add global groupSenderAllowFrom for sender-level group access control by 1MoreBuild · Pull Request #29174 · openclaw/openclaw

1MoreBuild · 2026-02-27T22:24:01Z

Summary

Problem: Sender-level access control in group chats can only be configured per group via groups.<chat_id>.allowFrom, requiring duplication for every group.
Why it matters: Bot owners who want to restrict interaction to specific users across all groups must maintain redundant config that is error-prone and leaves new groups unprotected by default.
What changed: Added groupSenderAllowFrom option at the channel level. When set, it acts as a global sender allowlist for all groups. Per-group allowFrom still takes precedence when configured.
What did NOT change (scope boundary): Existing groupPolicy, groupAllowFrom, and per-group allowFrom behavior is unchanged. No breaking changes.

Change Type (select all)

Scope (select all touched areas)

Linked Issue/PR

Closes [Feature]: Global sender-level allowlist for group chats #29166

User-visible / Behavior Changes

New optional config field channels.feishu.groupSenderAllowFrom (array of open_id strings).
When set, only listed senders can interact with the bot in group chats.
Per-group groups.<chat_id>.allowFrom overrides the global setting when present.

Example:

{
  channels: {
    feishu: {
      groupPolicy: "open",
      groupSenderAllowFrom: ["ou_xxx"],
    }
  }
}

Security Impact (required)

New permissions/capabilities? No
Secrets/tokens handling changed? No
New/changed network calls? No
Command/tool execution surface changed? No
Data access scope changed? No

Repro + Verification

Environment

OS: Linux
Runtime/container: Node.js 24
Model/provider: N/A
Integration/channel: Feishu (WebSocket mode)
Relevant config (redacted):

{
  channels: {
    feishu: {
      groupPolicy: "open",
      groupSenderAllowFrom: ["ou_my_id"],
    }
  }
}

Steps

Set groupSenderAllowFrom to a list containing your open_id
@mention the bot from an allowed user in any group — should respond
@mention the bot from a different user in any group — should be ignored
Add per-group allowFrom to a specific group — should override global setting for that group

Expected

Global groupSenderAllowFrom filters senders across all groups
Per-group allowFrom takes precedence when configured

Actual

Verified locally: sender not in groupSenderAllowFrom is rejected with log message; allowed sender triggers normal response

Evidence

Trace/log snippets

Before (per-group only):

feishu: sender ou_xxx not in group oc_yyy sender allowlist

After (global fallback):

feishu: sender ou_xxx not in group oc_yyy sender allowlist  (same log, now also triggered by groupSenderAllowFrom)

Human Verification (required)

Verified scenarios: Global allowlist blocks unauthorized senders; per-group allowFrom overrides global
Edge cases checked: Empty groupSenderAllowFrom (no-op), wildcard "*" in groupSenderAllowFrom
What you did not verify: Multi-account config inheritance

Compatibility / Migration

Backward compatible? Yes
Config/env changes? Yes — new optional field groupSenderAllowFrom
Migration needed? No

Failure Recovery (if this breaks)

How to disable/revert: Remove groupSenderAllowFrom from config; behavior reverts to per-group only
Files/config to restore: ~/.openclaw/openclaw.json
Known bad symptoms: Senders unexpectedly blocked in groups if field is misconfigured

Risks and Mitigations

Risk: Per-group allowFrom silently overrides global groupSenderAllowFrom, which may confuse users.
- Mitigation: Documented precedence; consistent with existing pattern where specific config overrides global.

greptile-apps · 2026-02-27T22:26:40Z

Greptile Summary

Added global sender-level access control for Feishu group chats through new groupSenderAllowFrom configuration option. This addresses the need to restrict bot interactions to specific users across all groups without duplicating configuration for each group individually.

Key Changes:

Added groupSenderAllowFrom field to FeishuSharedConfigShape in config schema (optional array of user IDs)
Implemented fallback logic: per-group allowFrom takes precedence, global groupSenderAllowFrom used as default
Empty or undefined per-group allowFrom triggers fallback to global setting

Implementation Notes:

The precedence logic uses perGroupSenderAllowFrom.length > 0 to determine if per-group config is active, treating empty arrays as "not configured" rather than "deny all"
Existing group-level and DM access controls remain unchanged
Fully backward compatible - new field is optional and defaults handled gracefully

Confidence Score: 5/5

This PR is safe to merge with minimal risk
The implementation is straightforward, follows existing patterns, and is fully backward compatible. The new optional field uses established schemas and validation patterns. The fallback logic is clear and well-implemented, with proper precedence (per-group overrides global). No breaking changes, no security risks introduced.
No files require special attention

_{Last reviewed commit: 72ad3da}

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 72ad3daaae

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-02-27T22:27:25Z

extensions/feishu/src/bot.ts

+    const effectiveSenderAllowFrom =
+      perGroupSenderAllowFrom.length > 0 ? perGroupSenderAllowFrom : globalSenderAllowFrom;


Treat empty group allowFrom as explicit override

When channels.feishu.groupSenderAllowFrom is set, this fallback picks the global list whenever a group-level allowFrom is an empty array, so groups.<chat>.allowFrom: [] cannot disable sender filtering for that one group. That makes per-group precedence inconsistent and can silently block users in groups that operators intended to leave unrestricted; checking whether the group key is explicitly set (instead of length > 0) avoids this regression.

Useful? React with 👍 / 👎.

…access control Add `groupSenderAllowFrom` at the channel config level so bot owners can restrict group chat interaction to specific senders globally, without duplicating `allowFrom` in every `groups.<chat_id>` entry. Per-group `allowFrom` still takes precedence when configured. Closes openclaw#29166 Co-Authored-By: Claude Opus 4.6 <[email protected]>

Takhoffman · 2026-02-28T03:49:55Z

PR #29174 - feat(feishu): add global groupSenderAllowFrom for sender-level group access control (#29174)

Merged via squash.

Merge commit: 107be4e
Verified: pnpm build, pnpm check, pnpm test:macmini
Changes made:
M\textensions/feishu/src/bot.test.ts
M\tCHANGELOG.md
Why these changes were made:
The PR changed Feishu group sender authorization behavior but lacked regression coverage and changelog coverage; tests were added for allow/block/precedence semantics and changelog was updated.
Changelog: CHANGELOG.md updated=true required=true opt_out=false

Thanks @1MoreBuild!

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5616b4c35a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-02-28T03:54:11Z

extensions/feishu/src/bot.ts

+    // Sender-level allowlist: per-group allowFrom takes precedence, then global groupSenderAllowFrom
+    const perGroupSenderAllowFrom = groupConfig?.allowFrom ?? [];
+    const globalSenderAllowFrom = feishuCfg?.groupSenderAllowFrom ?? [];
+    const effectiveSenderAllowFrom =
+      perGroupSenderAllowFrom.length > 0 ? perGroupSenderAllowFrom : globalSenderAllowFrom;


Reuse global sender allowlist for command authorization

This new effectiveSenderAllowFrom gate only controls whether the message is dropped, but command authorization later in handleFeishuMessage is still computed from groupConfig?.allowFrom ?? configAllowFrom; if operators set only channels.feishu.groupSenderAllowFrom (the feature added here), allowed group senders can chat but still get CommandAuthorized=false on slash/control commands, which resolveCommandAuthorization treats as unauthorized. This creates a regression for users migrating from per-group allowFrom entries to the new global setting.

Useful? React with 👍 / 👎.

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 2a036db)

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 2a036db)

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 2a036db)

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 107be4e)

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 107be4e)

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 107be4e)

@1MoreBuild

…access control (openclaw#29174) thanks @1MoreBuild (#1464) Verified: - pnpm build - pnpm check - pnpm test:macmini (cherry picked from commit 107be4e) Co-authored-by: Haitian <[email protected]> Co-authored-by: 1MoreBuild <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>

openclaw-barnacle bot added channel: feishu Channel integration: feishu size: XS labels Feb 27, 2026

chatgpt-codex-connector bot reviewed Feb 27, 2026

View reviewed changes

liuhaitian and others added 2 commits February 27, 2026 21:31

test(feishu): cover global group sender allowlist fallback

5616b4c

Takhoffman force-pushed the feat/global-group-sender-allowfrom branch from 72ad3da to 5616b4c Compare February 28, 2026 03:49

openclaw-barnacle bot added size: S and removed size: XS labels Feb 28, 2026

Takhoffman merged commit 107be4e into openclaw:main Feb 28, 2026
10 checks passed

chatgpt-codex-connector bot reviewed Feb 28, 2026

View reviewed changes

1MoreBuild deleted the feat/global-group-sender-allowfrom branch February 28, 2026 05:25

github-actions bot mentioned this pull request Mar 1, 2026

cherry-pick: upstream docs commits (2026-03-01-0443) hughdidit/DAISy-Agency#141

Closed

6 tasks

gemini-code-assist bot mentioned this pull request Mar 1, 2026

chore(sync): replay rollup fixes on upstream/main MillionthOdin16/openclaw#111

Merged

alexey-pelykh mentioned this pull request Mar 10, 2026

Cherry-pick: Feishu adapter — community PRs and fixes remoteclaw/remoteclaw#678

Closed

alexey-pelykh mentioned this pull request Mar 15, 2026

Cherry-pick 107be4e90: feat(feishu): add global groupSenderAllowFrom remoteclaw/remoteclaw#1464

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(feishu): add global groupSenderAllowFrom for sender-level group access control#29174

feat(feishu): add global groupSenderAllowFrom for sender-level group access control#29174
Takhoffman merged 2 commits intoopenclaw:mainfrom
1MoreBuild:feat/global-group-sender-allowfrom

1MoreBuild commented Feb 27, 2026

Uh oh!

greptile-apps bot commented Feb 27, 2026

Uh oh!

chatgpt-codex-connector bot left a comment

Uh oh!

chatgpt-codex-connector bot Feb 27, 2026

Uh oh!

Uh oh!

Takhoffman commented Feb 28, 2026

Uh oh!

chatgpt-codex-connector bot left a comment

Uh oh!

chatgpt-codex-connector bot Feb 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

		const effectiveSenderAllowFrom =
		perGroupSenderAllowFrom.length > 0 ? perGroupSenderAllowFrom : globalSenderAllowFrom;

Uh oh!

Conversation

1MoreBuild commented Feb 27, 2026

Summary

Change Type (select all)

Scope (select all touched areas)

Linked Issue/PR

User-visible / Behavior Changes

Security Impact (required)

Repro + Verification

Environment

Steps

Expected

Actual

Evidence

Human Verification (required)

Compatibility / Migration

Failure Recovery (if this breaks)

Risks and Mitigations

Uh oh!

greptile-apps bot commented Feb 27, 2026

Greptile Summary

Confidence Score: 5/5

Uh oh!

chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector bot Feb 27, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Takhoffman commented Feb 28, 2026

Uh oh!

chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector bot Feb 28, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants