fix: require owner for trajectory export (#97840)

This commit is contained in:
Pavan Kumar Gondhi
2026-06-30 16:59:50 +05:30
committed by GitHub
parent 738b2be4b4
commit 6cb82eaab8
2 changed files with 18 additions and 2 deletions

View File

@@ -133,7 +133,7 @@ describe("info command handlers", () => {
});
});
it("only lets owners export trajectory bundles", async () => {
it("ignores trajectory export requests from unauthorized senders", async () => {
const params = buildInfoParams("/export-trajectory", {
commands: { text: true },
} as OpenClawConfig);
@@ -145,6 +145,18 @@ describe("info command handlers", () => {
expect(buildExportTrajectoryCommandReplyMock).not.toHaveBeenCalled();
});
it("blocks authorized non-owners from exporting trajectory bundles", async () => {
const params = buildInfoParams("/export-trajectory", {
commands: { text: true },
} as OpenClawConfig);
params.command.senderIsOwner = false;
const result = await handleExportTrajectoryCommand(params, true);
expect(result).toEqual({ shouldContinue: false });
expect(buildExportTrajectoryCommandReplyMock).not.toHaveBeenCalled();
});
it("returns sender details for /whoami", async () => {
const result = await handleWhoamiCommand(
buildInfoParams(

View File

@@ -15,7 +15,7 @@ import {
} from "../status.js";
import { buildThreadingToolContext } from "./agent-runner-utils.js";
import { resolveChannelAccountId } from "./channel-context.js";
import { rejectUnauthorizedCommand } from "./command-gates.js";
import { rejectNonOwnerCommand, rejectUnauthorizedCommand } from "./command-gates.js";
import { buildExportSessionReply } from "./commands-export-session.js";
import { buildExportTrajectoryCommandReply } from "./commands-export-trajectory.js";
import { buildStatusPluginsReply, buildStatusReply } from "./commands-status.js";
@@ -348,5 +348,9 @@ export const handleExportTrajectoryCommand: CommandHandler = async (params, allo
if (unauthorized) {
return unauthorized;
}
const nonOwner = rejectNonOwnerCommand(params, "/export-trajectory");
if (nonOwner) {
return nonOwner;
}
return { shouldContinue: false, reply: await buildExportTrajectoryCommandReply(params) };
};