Telegram native command auth in groups checks DM allowlist instead of groupAllowFrom

[baccula]

Bug

Native Telegram slash commands (e.g. /status, /help) in supergroup topics reject authorized senders with "You are not authorized to use this command." even when the sender is in channels.telegram.groupAllowFrom.

Root Cause

In resolveTelegramCommandAuth, the final authorization check uses the DM allowlist (channels.telegram.allowFrom) rather than groupAllowFrom, even when the command originates from a group:

const dmAllow = normalizeDmAllowFromWithStore$1({
    allowFrom,           // <-- DM allowlist, not groupAllowFrom
    storeAllowFrom: isGroup ? [] : storeAllowFrom,
    dmPolicy: telegramCfg.dmPolicy ?? "pairing"
});
const senderAllowed = isSenderAllowed$1({
    allow: dmAllow,
    senderId,
    senderUsername
});
const commandAuthorized = resolveCommandAuthorizedFromAuthorizers({
    useAccessGroups,
    authorizers: [{ configured: dmAllow.hasEntries, allowed: senderAllowed }],
    modeWhenAccessGroupsOff: "configured"
});
if (requireAuth && !commandAuthorized) return await rejectNotAuthorized();

Regular group messages use a different auth path (shouldSkipGroupMessage → evaluateTelegramGroupPolicyAccess) that correctly checks groupAllowFrom. So the bug is isolated to native command handling.

Additional Issue

The sendAuthMessage helper in resolveTelegramCommandAuth sends to chatId without thread params, so the rejection message appears in #General instead of the topic where the command was sent.

Config That Triggers This

{
  "channels": {
    "telegram": {
      "groupAllowFrom": [123456789],
      "groupPolicy": "allowlist",
      "groups": {
        "-100xxxxxxxxxx": {
          "allowFrom": [123456789]
        }
      }
      // no top-level "allowFrom" set
    }
  }
}

Expected Behavior

• Native commands in groups should authorize against groupAllowFrom (and group/topic-level allowFrom), not the DM allowlist.
• Auth rejection messages in forum topics should include thread params to reply in the correct topic.

Workaround

Add the user ID to channels.telegram.allowFrom (the DM allowlist). This fixes native command auth in groups but shouldn't be required.

Version

openclaw 2026.2.26

[eriktobben]

I am having the same issue, and it seems to have been introduced in 2026.2.26 as this was working in 2026.2.25.

[pushkarsingh32]

Opened a fix for this: #30272

Uses effectiveGroupAllow (already resolved from groupAllowFrom and per-group/topic overrides) for group contexts in resolveTelegramCommandAuth, keeping DM allowlist logic only for direct messages. All CI checks pass.

[dongzhenye]

Can confirm this issue. Running openclaw 2026.2.26 with groupPolicy: "allowlist" and allowFrom: ["*"] on the group. Paired DM user sends /status in a supergroup → gets "You are not authorized to use this command."

Traced through the same code path in resolveTelegramCommandAuth — the final commandAuthorized check uses DM-level allowFrom (empty in my case) with storeAllowFrom forced to [] for groups, so no authorizer has configured: true, and resolveCommandAuthorizedFromAuthorizers returns false.

commands.allowFrom works as a workaround but shouldn't be required.

[edwluo]

Still present on 2026.3.2. Opened #39267 with fix + test.

[vincentkoc]

Keeping this open as the canonical issue for the native Telegram group command auth bug.

The active fix path is #39267. Earlier passes in #29230 and #30272 covered the same root cause and stay part of the history, but #39267 is the current branch we're carrying forward. I'm closing #29135 as the forum-topic symptom of this same bug, and keeping #28216 separate because that one tracks commands.allowFrom precedence drift instead.

If that boundary looks wrong in your repro, point me to the exact failing step and I'll re-check it.