From cf311730dffe780c7eb98ecba3761b3030f2be6b Mon Sep 17 00:00:00 2001 From: jaydenfyi <213395523+jaydenfyi@users.noreply.github.com> Date: Sun, 25 Jan 2026 16:04:11 +0800 Subject: [PATCH] adjust access control logic --- .claude/settings.local.json | 8 ---- extensions/twitch/src/access-control.test.ts | 48 ++++++++++++++++++-- extensions/twitch/src/access-control.ts | 13 ++---- 3 files changed, 49 insertions(+), 20 deletions(-) delete mode 100644 .claude/settings.local.json diff --git a/.claude/settings.local.json b/.claude/settings.local.json deleted file mode 100644 index 130c5188e..000000000 --- a/.claude/settings.local.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "permissions": { - "allow": [ - "Bash(pnpm vitest:*)", - "Bash(git diff:*)" - ] - } -} diff --git a/extensions/twitch/src/access-control.test.ts b/extensions/twitch/src/access-control.test.ts index b9c3c24a4..459cf0da7 100644 --- a/extensions/twitch/src/access-control.test.ts +++ b/extensions/twitch/src/access-control.test.ts @@ -96,7 +96,7 @@ describe("checkTwitchAccessControl", () => { expect(result.matchSource).toBe("allowlist"); }); - it("blocks users not in the allowlist", () => { + it("allows users not in allowlist via fallback (open access)", () => { const account: TwitchAccountConfig = { ...mockAccount, allowFrom: ["789012"], @@ -107,8 +107,8 @@ describe("checkTwitchAccessControl", () => { account, botUsername: "testbot", }); - expect(result.allowed).toBe(false); - expect(result.reason).toContain("not in allowlist"); + // Falls through to final fallback since allowedRoles is not set + expect(result.allowed).toBe(true); }); it("blocks messages without userId", () => { @@ -145,6 +145,48 @@ describe("checkTwitchAccessControl", () => { }); expect(result.allowed).toBe(true); }); + + it("allows user with role even if not in allowlist", () => { + const account: TwitchAccountConfig = { + ...mockAccount, + allowFrom: ["789012"], + allowedRoles: ["moderator"], + }; + const message: TwitchChatMessage = { + ...mockMessage, + userId: "123456", + isMod: true, + }; + + const result = checkTwitchAccessControl({ + message, + account, + botUsername: "testbot", + }); + expect(result.allowed).toBe(true); + expect(result.matchSource).toBe("role"); + }); + + it("blocks user with neither allowlist nor role", () => { + const account: TwitchAccountConfig = { + ...mockAccount, + allowFrom: ["789012"], + allowedRoles: ["moderator"], + }; + const message: TwitchChatMessage = { + ...mockMessage, + userId: "123456", + isMod: false, + }; + + const result = checkTwitchAccessControl({ + message, + account, + botUsername: "testbot", + }); + expect(result.allowed).toBe(false); + expect(result.reason).toContain("does not have any of the required roles"); + }); }); describe("allowedRoles", () => { diff --git a/extensions/twitch/src/access-control.ts b/extensions/twitch/src/access-control.ts index 005dfbdf6..1e985b938 100644 --- a/extensions/twitch/src/access-control.ts +++ b/extensions/twitch/src/access-control.ts @@ -59,18 +59,13 @@ export function checkTwitchAccessControl(params: { }; } - if (!allowFrom.includes(senderId)) { + if (allowFrom.includes(senderId)) { return { - allowed: false, - reason: "sender not in allowlist", + allowed: true, + matchKey: senderId, + matchSource: "allowlist", }; } - - return { - allowed: true, - matchKey: senderId, - matchSource: "allowlist", - }; } if (account.allowedRoles && account.allowedRoles.length > 0) {