From 09241f102ee2f113c10d5a4894fdae0cb9676d4c Mon Sep 17 00:00:00 2001 From: OG T Date: Fri, 3 Apr 2026 18:17:22 +0800 Subject: [PATCH] =?UTF-8?q?fix(group):=20=E7=BE=A4=E7=B5=84=E8=A8=8A?= =?UTF-8?q?=E6=81=AF=E7=A7=BB=E5=88=B0=20security=20interceptor=20?= =?UTF-8?q?=E5=89=8D=20=E2=80=94=20=E4=BF=AE=E5=BE=A9=20whitelist=20?= =?UTF-8?q?=E6=93=8B=E6=8E=89=E6=89=80=E6=9C=89=E7=BE=A4=E7=B5=84=E8=A8=8A?= =?UTF-8?q?=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 根因: intercept_telegram() 的 whitelist 是字串,user_id 是 int 型別不匹配 → exception → telegram_chat_unauthorized → 群組訊息全被丟棄 修法: SRE 群組訊息優先路由,不走個人 whitelist (群組成員由 Telegram 群組管理員控制,安全邊界已存在) Co-Authored-By: Claude Sonnet 4.6 --- apps/api/src/services/telegram_gateway.py | 31 ++++++++--------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/apps/api/src/services/telegram_gateway.py b/apps/api/src/services/telegram_gateway.py index f2c44e44..d9c66fee 100644 --- a/apps/api/src/services/telegram_gateway.py +++ b/apps/api/src/services/telegram_gateway.py @@ -3097,7 +3097,16 @@ class TelegramGateway: text=text[:50], ) - # 1. 安全檢查 (ADR-012) + # 1. 群組訊息路由優先 (2026-04-03 ogt: SRE 戰情室群組無需個人白名單) + # 群組是封閉環境,成員由 Telegram 群組管理員控制,不走個人 whitelist + is_group = chat_type in ("group", "supergroup") + is_sre_group = str(chat_id) == str(settings.SRE_GROUP_CHAT_ID) + + if is_group and is_sre_group: + await self._handle_group_message(text, user_id, username, chat_id, message_id) + return + + # 2. 個人 chat 安全檢查 (ADR-012) try: interceptor = get_security_interceptor() await interceptor.intercept_telegram(user_id) @@ -3105,7 +3114,7 @@ class TelegramGateway: logger.warning("telegram_chat_unauthorized", user_id=user_id, error=str(e)) return - # 2. /ai 指令攔截 (Phase 24 C — 2026-04-03 ogt) + # 3. /ai 指令攔截 (Phase 24 C — 2026-04-03 ogt) if text.strip().lower().startswith("/ai"): whitelist = settings.get_tg_user_whitelist() if not whitelist or user_id not in whitelist: @@ -3118,24 +3127,6 @@ class TelegramGateway: logger.info("telegram_ai_command_handled", user_id=user_id, text=text[:50]) return - # 3. 群組訊息路由 (2026-04-03 ogt: SRE 戰情室群組支援) - # 群組裡 @ 指定 Bot 或直接發訊息 → 雙 AI 並行回應到群組 - is_group = chat_type in ("group", "supergroup") - is_sre_group = str(chat_id) == str(settings.SRE_GROUP_CHAT_ID) - - logger.info( - "group_routing_check", - chat_id=chat_id, - chat_type=chat_type, - is_group=is_group, - is_sre_group=is_sre_group, - sre_group_config=str(settings.SRE_GROUP_CHAT_ID), - ) - - if is_group and is_sre_group: - await self._handle_group_message(text, user_id, username, chat_id, message_id) - return - # 4. 個人 chat — 顯示輸入狀態 await self._send_chat_action(chat_id, "typing")