fix: enforce strict allowlist across pairing stores (#23017)

2026-05-03 10:00:21 +00:00 · 2026-02-22 00:00:23 +01:00
parent 617e38cec0
commit 0bd9f0d4ac
31 changed files with 162 additions and 45 deletions
--- a/src/plugin-sdk/command-auth.ts
+++ b/src/plugin-sdk/command-auth.ts
@@ -26,7 +26,9 @@ export async function resolveSenderCommandAuthorization(
 }> {
  const shouldComputeAuth = params.shouldComputeCommandAuthorized(params.rawBody, params.cfg);
  const storeAllowFrom =
-    !params.isGroup && (params.dmPolicy !== "open" || shouldComputeAuth)
+    !params.isGroup &&
+    params.dmPolicy !== "allowlist" &&
+    (params.dmPolicy !== "open" || shouldComputeAuth)
      ? await params.readAllowFromStore().catch(() => [])
      : [];
  const effectiveAllowFrom = [...params.configuredAllowFrom, ...storeAllowFrom];