diff --git a/extensions/matrix/src/matrix/monitor/handler.test.ts b/extensions/matrix/src/matrix/monitor/handler.test.ts index 2b278e0b1be..f2751f32682 100644 --- a/extensions/matrix/src/matrix/monitor/handler.test.ts +++ b/extensions/matrix/src/matrix/monitor/handler.test.ts @@ -1841,6 +1841,41 @@ describe("matrix monitor handler live allowlist reload", () => { expect(dispatchReplyFromConfig).toHaveBeenCalledTimes(1); }); + it("blocks a DM sender after live wildcard removal", async () => { + const dispatchReplyFromConfig = createDispatchReplyFromConfig(); + const cfg = { + channels: { + matrix: { + dm: { allowFrom: ["*"] }, + }, + }, + }; + const { handler } = createMatrixHandlerTestHarness({ + cfg, + dmPolicy: "allowlist", + isDirectMessage: true, + allowFrom: ["*"], + allowFromResolvedEntries: [], + dispatchReplyFromConfig, + }); + + await sendLiveAllowlistMessage(handler, { + eventId: "$dm-wildcard-before", + sender: "@alice:example.org", + body: "hello", + }); + expect(dispatchReplyFromConfig).toHaveBeenCalledTimes(1); + + cfg.channels.matrix.dm.allowFrom = []; + await sendLiveAllowlistMessage(handler, { + eventId: "$dm-wildcard-after", + sender: "@alice:example.org", + body: "hello again", + }); + + expect(dispatchReplyFromConfig).toHaveBeenCalledTimes(1); + }); + it("uses account-scoped live dm.allowFrom overrides", async () => { const dispatchReplyFromConfig = createDispatchReplyFromConfig(); const cfg = { diff --git a/extensions/matrix/src/matrix/monitor/handler.ts b/extensions/matrix/src/matrix/monitor/handler.ts index c4bd301b86a..57792075810 100644 --- a/extensions/matrix/src/matrix/monitor/handler.ts +++ b/extensions/matrix/src/matrix/monitor/handler.ts @@ -216,14 +216,8 @@ function isMatrixHotReloadAllowlistEntry(entry: string): boolean { function resolveEffectiveMatrixLiveAllowlist(params: { liveEntries?: ReadonlyArray; startupResolvedEntries?: readonly MatrixResolvedAllowlistEntry[]; - fallbackEntries?: readonly string[]; }): string[] { const liveEntries = normalizeConfiguredMatrixAllowlistEntries(params.liveEntries); - const startupResolvedEntries = params.startupResolvedEntries ?? []; - if (liveEntries.length === 0 && startupResolvedEntries.length === 0) { - return [...(params.fallbackEntries ?? [])]; - } - const liveInputs = new Set(liveEntries); const effective: string[] = []; const seen = new Set(); @@ -245,7 +239,7 @@ function resolveEffectiveMatrixLiveAllowlist(params: { add(entry); } } - for (const entry of startupResolvedEntries) { + for (const entry of params.startupResolvedEntries ?? []) { if (liveInputs.has(entry.input)) { add(entry.id); } @@ -420,9 +414,7 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam runtime, logger, logVerboseMessage, - allowFrom, allowFromResolvedEntries = [], - groupAllowFrom = [], groupAllowFromResolvedEntries = [], roomsConfig, accountAllowBots, @@ -713,12 +705,10 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam const liveDmAllowFrom = resolveEffectiveMatrixLiveAllowlist({ liveEntries: liveAccountAllowlists.dmAllowFrom, startupResolvedEntries: allowFromResolvedEntries, - fallbackEntries: allowFrom, }); const liveGroupAllowFrom = resolveEffectiveMatrixLiveAllowlist({ liveEntries: liveAccountAllowlists.groupAllowFrom, startupResolvedEntries: groupAllowFromResolvedEntries, - fallbackEntries: groupAllowFrom, }); const accessState = resolveMatrixMonitorAccessState({ allowFrom: liveDmAllowFrom,