fix(whatsapp): groupAllowFrom sender filter bypassed when groupPolicy is allowlist (#24670)

(cherry picked from commit af06ebd9a6)
2026-03-21 16:41:56 +00:00 · 2026-02-24 03:20:37 +08:00
parent 3f5e7f8156
commit c6bb7b0c04
4 changed files with 57 additions and 1 deletions
--- a/src/config/group-policy.test.ts
+++ b/src/config/group-policy.test.ts
@@ -89,6 +89,46 @@ describe("resolveChannelGroupPolicy", () => {
    expect(policy.allowlistEnabled).toBe(true);
    expect(policy.allowed).toBe(false);
  });
+
+  it("allows groups when groupPolicy=allowlist with hasGroupAllowFrom but no groups", () => {
+    const cfg = {
+      channels: {
+        whatsapp: {
+          groupPolicy: "allowlist",
+        },
+      },
+    } as OpenClawConfig;
+
+    const policy = resolveChannelGroupPolicy({
+      cfg,
+      channel: "whatsapp",
+      groupId: "123@g.us",
+      hasGroupAllowFrom: true,
+    });
+
+    expect(policy.allowlistEnabled).toBe(true);
+    expect(policy.allowed).toBe(true);
+  });
+
+  it("still fails closed when groupPolicy=allowlist without groups or groupAllowFrom", () => {
+    const cfg = {
+      channels: {
+        whatsapp: {
+          groupPolicy: "allowlist",
+        },
+      },
+    } as OpenClawConfig;
+
+    const policy = resolveChannelGroupPolicy({
+      cfg,
+      channel: "whatsapp",
+      groupId: "123@g.us",
+      hasGroupAllowFrom: false,
+    });
+
+    expect(policy.allowlistEnabled).toBe(true);
+    expect(policy.allowed).toBe(false);
+  });
 });

 describe("resolveToolsBySender", () => {
--- a/src/config/group-policy.ts
+++ b/src/config/group-policy.ts
@@ -328,6 +328,8 @@ export function resolveChannelGroupPolicy(params: {
  groupId?: string | null;
  accountId?: string | null;
  groupIdCaseInsensitive?: boolean;
+  /** When true, sender-level filtering (groupAllowFrom) is configured upstream. */
+  hasGroupAllowFrom?: boolean;
 }): ChannelGroupPolicy {
  const { cfg, channel } = params;
  const groups = resolveChannelGroups(cfg, channel, params.accountId);
@@ -340,8 +342,14 @@ export function resolveChannelGroupPolicy(params: {
    : undefined;
  const defaultConfig = groups?.["*"];
  const allowAll = allowlistEnabled && Boolean(groups && Object.hasOwn(groups, "*"));
+  // When groupPolicy is "allowlist" with groupAllowFrom but no explicit groups,
+  // allow the group through — sender-level filtering handles access control.
+  const senderFilterBypass =
+    groupPolicy === "allowlist" && !hasGroups && Boolean(params.hasGroupAllowFrom);
  const allowed =
-    groupPolicy === "disabled" ? false : !allowlistEnabled || allowAll || Boolean(groupConfig);
+    groupPolicy === "disabled"
+      ? false
+      : !allowlistEnabled || allowAll || Boolean(groupConfig) || senderFilterBypass;
  return {
    allowlistEnabled,
    allowed,
--- a/src/web/auto-reply/monitor/group-activation.ts
+++ b/src/web/auto-reply/monitor/group-activation.ts
@@ -16,10 +16,17 @@ export function resolveGroupPolicyFor(cfg: ReturnType<typeof loadConfig>, conver
    ChatType: "group",
    Provider: "whatsapp",
  })?.id;
+  const whatsappCfg = cfg.channels?.whatsapp as
+    | { groupAllowFrom?: string[]; allowFrom?: string[] }
+    | undefined;
+  const hasGroupAllowFrom = Boolean(
+    whatsappCfg?.groupAllowFrom?.length || whatsappCfg?.allowFrom?.length,
+  );
  return resolveChannelGroupPolicy({
    cfg,
    channel: "whatsapp",
    groupId: groupId ?? conversationId,
+    hasGroupAllowFrom,
  });
 }