fix(whatsapp): gate reactions by DM/group access controls

Address Codex review - reactions now respect the same access controls as messages (dmPolicy, allowlists, etc). Self-reactions bypass the check since they're our own actions, not inbound events. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 12:42:08 -06:00 · 2026-01-29 12:42:08 -06:00 · 734a7a476d
commit 734a7a476d
parent a0d3aaf541
1 changed files with 25 additions and 0 deletions
--- a/src/web/inbound/monitor.ts
+++ b/src/web/inbound/monitor.ts
@ -352,6 +352,31 @@ export async function monitorWebInbox(options: {
          }
          const senderE164 = senderJid ? await resolveInboundJid(senderJid) : null;

+          // Gate reactions by the same access controls as messages (skip for our own reactions)
+          const isOwnReaction = Boolean(reactionKey?.fromMe);
+          if (!isOwnReaction) {
+            const from = group ? chatJid : await resolveInboundJid(chatJid);
+            if (!from) continue;
+            const access = await checkInboundAccessControl({
+              accountId: options.accountId,
+              from,
+              selfE164,
+              senderE164,
+              group,
+              isFromMe: false,
+              connectedAtMs,
+              sock: { sendMessage: (jid, content) => sock.sendMessage(jid, content) },
+              remoteJid: chatJid,
+            });
+            if (!access.allowed) {
+              inboundLogger.debug(
+                { chatJid, senderJid, group },
+                "reaction blocked by access control",
+              );
+              continue;
+            }
+          }
+
          const chatType = group ? "group" : "direct";
          inboundLogger.info(
            {