OoO d276853e54 fix(post-3.5g): restore _is_authorized fail-closed for callback + message (CRIT-2 + HIGH-3) ...

從 4349db2~1 撈回 _is_authorized() 並重新套用到 callback 與 message handler。

問題：
- CRIT-2 (callback fail-open)：原本只擋 group/supergroup 不匹配，
  private chat 任何人都能觸發 callback 指令（按鈕 menu/await/cmd）。
- HIGH-3 (message short-circuit fail)：`if ALLOWED_USERS and _uid not in ALLOWED_USERS`
  在 OPENCLAW_ALLOWED_USERS 環境變數未設時 → ALLOWED_USERS 為空 set →
  `if False and ...` 整段不執行 → 所有 private 訊息都通過。

修法（fail-closed 三檢查）：
1. 在頂部 import 區下方還原 `_is_authorized(chat_type, chat_id, user_id)`：
   - group/supergroup：chat_id 必須等於 ALLOWED_GROUP
   - private：user_id 必須在 ALLOWED_USERS（空 set → 全拒）
   - channel / 未知 / 缺欄位 → 拒絕
2. callback handler 替換為 `if not _is_authorized(chat_type, chat_id, cq_from_id)`
   並從 cq.get('from') 取 user_id（之前完全沒取）。
3. message handler 替換為統一檢查，未授權回 403 + 靜默（不回 Telegram 避免偵察）。

驗證：
- AST parse OK
- 模擬測試：999999 私訊 → False；111（在白名單）私訊 → True；
  錯誤群組 → False；channel → False；None → False
- grep 結果：剩下兩處 `_is_authorized` 呼叫（callback 5195, message 5255），
  舊的 `ALLOWED_USERS and _uid not in ALLOWED_USERS` 已移除（只留註解描述歷史）。

Critic findings: CRIT-2 + HIGH-3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-28 14:40:22 +08:00

.claude

[V10.4-A] 加強 commit-quality Hook + P9 文件歸檔

2026-04-25 01:42:40 +08:00

.gitea/workflows

fix(ci): use docker compose restart instead of hardcoded container names in sync mode

2026-04-28 13:36:23 +08:00

.github/workflows

Fix Telegram bot natural language communication issue

2026-04-22 14:27:50 +08:00

.windsurf/workflows

feat: 實作 PPT 簡報資料庫持久化機制

2026-04-20 22:59:04 +08:00

aiops-core

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

bin

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

crawler

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

data

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

database

refactor: fix reverse dependencies — logger_manager→utils, dashboard_service extraction

2026-04-27 21:28:23 +08:00

deploy

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

deploy_scripts

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

docker

fix(db): 補建 ai_insights / action_plans 表

2026-04-22 09:25:38 +08:00

docs

feat: 新增三個促銷活動爬蟲支援（母親節、520情人節、勞動節）

2026-04-28 13:57:44 +08:00

export_assets

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

k8s

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

k8s 2

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

migrations

fix(p1): resolve 014 migration conflict, remove orphan file, add healthchecks

2026-04-27 21:15:40 +08:00

monitoring

fix: Phase 2 P0 全清零 — 14 項安全與功能修復完成

2026-04-27 21:11:52 +08:00

n8n-workflows

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

nextcloud

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

routes

fix(post-3.5g): restore _is_authorized fail-closed for callback + message (CRIT-2 + HIGH-3)

2026-04-28 14:40:22 +08:00

scripts

Fix Telegram bot natural language communication issue

2026-04-22 14:27:50 +08:00

services

fix(post-3.5g): restore generate_embedding for KM dual-write (CRIT-1)

2026-04-28 14:40:22 +08:00

static/images

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

static_maintenance

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

templates

Fix Telegram bot natural language communication issue

2026-04-22 14:27:50 +08:00

tests

fix(security): 全域健檢 — 40 項安全/Bug/品質修復

2026-04-22 01:12:23 +08:00

utils

refactor: fix reverse dependencies — logger_manager→utils, dashboard_service extraction

2026-04-27 21:28:23 +08:00

web

fix(security): 全域健檢 — 40 項安全/Bug/品質修復

2026-04-22 01:12:23 +08:00

__init__.py

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

.claudeignore

feat: 實作 PPT 簡報資料庫持久化機制

2026-04-20 22:59:04 +08:00

.env.example

fix(post-3.5c): .env.example 補齊 HERMES_URL + DISABLE_LOGIN

2026-04-28 12:15:59 +08:00

.gitignore

fix(security): 全域健檢 — 40 項安全/Bug/品質修復

2026-04-22 01:12:23 +08:00

.gitlab-ci.yml

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

abc_analysis_detail.html

fix: Phase 2 P0 全清零 — 14 項安全與功能修復完成

2026-04-27 21:11:52 +08:00

app.py

refactor: centralize config — HERMES_URL, SSH params, validate_critical_config()

2026-04-27 21:27:47 +08:00

app.py.backup_login_required

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

auth.py

fix: url_for('dashboard') → url_for('index') — endpoint 名稱錯誤導致登入 500

2026-04-27 21:30:33 +08:00

auto_import_index.html

fix: Phase 2 P0 全清零 — 14 項安全與功能修復完成

2026-04-27 21:11:52 +08:00

AUTO_IMPORT_README.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

brand_assets.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

CLAUDE.md

refactor(claude): Phase B — momo CLAUDE.md 去重 + secrets.local.json

2026-04-21 23:13:18 +08:00

CODE_REVIEW_GUIDE.md

Fix Telegram bot natural language communication issue

2026-04-22 14:27:50 +08:00

components

fix(repo): update broken symlink to correct components path

2026-04-20 23:59:33 +08:00

config.py

fix(post-3.5c): config.py 新增 EMBEDDING_HOST 常數（C-2 部分達成）

2026-04-28 12:15:59 +08:00

CONSTITUTION.md

feat: AI 治理完備 V10.3 — 技術債清零 + DB 備份機制 + 備份 AI 監控

2026-04-19 02:03:45 +08:00

crawler_management.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

daily_sales.html

fix: Phase 2 P0 全清零 — 14 項安全與功能修復完成

2026-04-27 21:11:52 +08:00

dashboard.html

fix: Phase 2 P0 全清零 — 14 項安全與功能修復完成

2026-04-27 21:11:52 +08:00

deploy_docker_guide.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

deploy_docker_uat.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

DEPLOY_README.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

deploy_to_uat.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

DEPLOYMENT_WORKFLOW.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

design_assets_recommendation.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

disable_maintenance.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

docker-compose.devops.yml

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

docker-compose.yml

fix: mount routes directory for telegram-bot and scheduler

2026-04-28 12:44:10 +08:00

Dockerfile

feat: AiderHeal 支援 ssh 與 Ollama 設為首選 AI 引擎

2026-04-28 11:41:12 +08:00

DRIFT_SCANNER_FIX_GUIDE.md

fix: drift-scanner pods cleanup script and guide

2026-04-22 11:14:48 +08:00

DRIFT_SCANNER_NOTES.md

add drift-scanner cleanup notes

2026-04-22 14:27:50 +08:00

edm_dashboard.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

enable_maintenance.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

final_report.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

GOOGLE_DRIVE_SETUP.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

growth_analysis.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

gunicorn.service

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

history.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

import.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

incorrect_images.txt

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

index.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

kill_old_gunicorn.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

list.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

login.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

logs.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

maintenance.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

messageImage_1768497700711.jpg

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

momo-scheduler.service

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

momo.service

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

monitor_memory_trend.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

monthly_summary_analysis.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

nginx.conf

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

pyvenv.cfg

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

quick_fix.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

requirements.txt

fix(security): 全域健檢 — 40 項安全/Bug/品質修復

2026-04-22 01:12:23 +08:00

run_scheduler.py

feat: 新增三個促銷活動爬蟲支援（母親節、520情人節、勞動節）

2026-04-28 13:57:44 +08:00

run_security_tests.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

run_telegram_bot.py

fix(security): 全域健檢 — 40 項安全/Bug/品質修復

2026-04-22 01:12:23 +08:00

sales_analysis.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

scheduler.py

fix: 新增 Vue.js 模板頁面支援的策略 3 和策略 4

2026-04-28 14:26:41 +08:00

SECURITY_FIX_DATABASE_PASSWORD.md

fix: resolve datetime variable scope error and duplicate alert notifications

2026-04-22 14:32:34 +08:00

SECURITY_FIX_SUMMARY.md

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

send_email.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

settings.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

setup_maintenance_and_fix_timeout.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

start_momo.command

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

sync_env.sh

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

system_settings.html

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

test_vendor.xlsx

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

TODO_NEXT_STEPS.txt

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

vendor_email_template.xlsx

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

vendor_stockout_list.html.backup

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

即時業績_當日_20260112.xlsx

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

廠商清單_含郵件欄位_20260112_233715.xlsx

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

活頁簿2.xlsx

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

測試_MAIL欄位_大寫.xlsx

feat: EwoooC 初始化 — 完整專案推版至 Gitea

2026-04-19 01:21:13 +08:00

Description

EwoooC — 商品看板 + 業績報表 + AI KM (Flask + pgvector, Docker Compose on 188)

37 MiB

Languages

PostScript 59.7%

Python 30.9%

HTML 4.2%

CSS 2.1%

JavaScript 1.9%

Other 1.1%