Skip to content

fix(telegram): include group allowlist in native command auth for forum topics#29230

Closed
i314nk wants to merge 1 commit intoopenclaw:mainfrom
i314nk:fix/telegram-forum-slash-auth
Closed

fix(telegram): include group allowlist in native command auth for forum topics#29230
i314nk wants to merge 1 commit intoopenclaw:mainfrom
i314nk:fix/telegram-forum-slash-auth

Conversation

@i314nk
Copy link
Copy Markdown

@i314nk i314nk commented Feb 28, 2026
edited
Loading

Problem

Native slash commands (/status, /reasoning, etc.) return "You are not authorized to use this command." in Telegram forum topic chats, even when the sender is authorized via per-group allowFrom or groupAllowFrom.

Regular messages in the same forum work correctly.

Root Cause

resolveTelegramCommandAuth in bot-native-commands.ts only passes the DM allowlist (allowFrom) as an authorizer to resolveCommandAuthorizedFromAuthorizers. For group messages, the DM pairing store is excluded (storeAllowFrom: isGroup ? [] : storeAllowFrom), so senders authorized via per-group config are incorrectly rejected.

Compare with bot-handlers.ts which correctly checks effectiveGroupAllow for group messages.

Fix

Add effectiveGroupAllow as a second authorizer when isGroup is true. Since resolveCommandAuthorizedFromAuthorizers uses authorizers.some(e => e.configured && e.allowed), either the DM allowlist OR the group allowlist matching is sufficient — mirroring regular message auth behavior.

+7 lines in bot-native-commands.ts.

Test

Added test: "allows native commands in forum topic when sender is in group allowFrom" — verifies /status succeeds in a forum supergroup when the sender is in the group's allowFrom list.

All 41 existing bot tests pass, zero regressions. Formatting clean (oxfmt --check).

AI Disclosure

  • AI-assisted (Claude Code for implementation, human-directed root cause analysis and prompt)
  • Fully tested — new test + all 41 existing tests pass
  • I understand what the code does

Fixes #29135

@jev1495
fix(telegram): include group allowlist in native command auth for for…
c84c79c 
…um topics

Native slash commands (/status, /reasoning, etc.) returned 'not authorized'
in forum topic chats because resolveTelegramCommandAuth only checked the DM
allowlist (allowFrom) when authorizing senders. In groups, the DM pairing
store is excluded, so senders authorized via per-group allowFrom or
groupAllowFrom were incorrectly rejected.

Add effectiveGroupAllow as a second authorizer when isGroup is true,
mirroring how bot-handlers.ts authorizes regular group messages.

Fixes openclaw#29135
@openclaw-barnacle openclaw-barnacle bot added channel: telegram Channel integration: telegram size: S labels Feb 28, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Feb 28, 2026

Greptile Summary

This PR fixes authorization for native slash commands in Telegram forum topics by adding group allowlist checking to resolveTelegramCommandAuth. The fix mirrors the authorization pattern already used in bot-handlers.ts for regular messages.

Key changes:

  • Added effectiveGroupAllow as a second authorizer when isGroup is true in src/telegram/bot-native-commands.ts:266-272
  • The authorization logic now checks both DM allowlist OR group allowlist, using resolveCommandAuthorizedFromAuthorizers with authorizers.some() semantics
  • Added comprehensive test coverage for forum topics with group allowlist authorization

How it works:
Before: Only checked DM allowlist (allowFrom), excluding pairing store for groups
After: Checks both DM allowlist AND group allowlist (effectiveGroupAllow) when in a group context, allowing either to authorize the sender

The implementation is clean, minimal (+7 lines), and aligns with existing authorization patterns in the codebase.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - it's a targeted bug fix with proper test coverage
  • The fix is well-implemented, follows existing patterns from bot-handlers.ts, adds proper test coverage, and addresses a clear bug without introducing side effects. The change is minimal and surgical (+7 lines), making it easy to verify correctness.
  • No files require special attention

Last reviewed commit: c84c79c

@i314nk i314nk mentioned this pull request Feb 28, 2026
Closed
@andybergon andybergon mentioned this pull request Mar 2, 2026
Closed
@andytcf andytcf mentioned this pull request Mar 3, 2026
Closed
@openclaw-barnacle
Copy link
Copy Markdown

openclaw-barnacle bot commented Mar 5, 2026

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

@openclaw-barnacle openclaw-barnacle bot added the stale Marked as stale due to inactivity label Mar 5, 2026
@i314nk
Copy link
Copy Markdown
Author

i314nk commented Mar 5, 2026

Still relevant — this fixes a real bug where native slash commands (like /model, /new) fail authorization in Telegram forum topics when using group allowlists. The fix is minimal (+7 lines), follows existing patterns from bot-handlers.ts, and has full test coverage. Happy to rebase if needed.

@i314nk
Copy link
Copy Markdown
Author

i314nk commented Mar 5, 2026

Closing — this fix has been superseded by the broader auth refactoring on main, particularly the group auth boundary enforcement (Feb 26) and the native command auth hardening in #34873 (Mar 5). The underlying code has been significantly reworked since this PR was opened. Thanks for the review, Greptile!

@i314nk i314nk closed this Mar 5, 2026
@edwluo edwluo mentioned this pull request Mar 7, 2026
Merged
@vincentkoc vincentkoc mentioned this pull request Mar 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

channel: telegram Channel integration: telegram size: S stale Marked as stale due to inactivity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Telegram: slash commands return 'not authorized' in forum topic chats

2 participants

@i314nk @jev1495