LaPhilosophie f6f363662e fix(discord): fail closed for component button auth when no allowlist set ... Salvage of the Discord half of PR #30964 by @LaPhilosophie. Discord component button callbacks (ExecApprovalView, SlashConfirmView, UpdatePromptView, ModelPickerView) bypass the normal message dispatch authorization path. _component_check_auth previously returned True when both the user and role allowlists were empty, so any guild member who could see an approval prompt could click Approve on a dangerous command. Fail closed instead: require DISCORD_ALLOWED_USERS / DISCORD_ALLOWED_ROLES / GATEWAY_ALLOWED_USERS membership, or an explicit DISCORD_ALLOW_ALL_USERS / GATEWAY_ALLOW_ALL_USERS opt-in for deliberately-open deployments. Mirrors the Telegram (#24457) and Matrix fail-closed precedent. The Slack half of #30964 is superseded by PR #33844's helper. Reported via GHSA-mc26-p6fw-7pp6 (@whyiug). Co-authored-by: LaPhilosophie <804436395@qq.com>		2026-06-07 06:21:37 -07:00
..
discord	fix(discord): fail closed for component button auth when no allowlist set	2026-06-07 06:21:37 -07:00
google_chat	fix: guard int(os.getenv()) casts against malformed env vars (#40598)	2026-06-07 06:14:24 -07:00
homeassistant	refactor(gateway): migrate Home Assistant adapter to bundled plugin	2026-06-06 11:46:24 -07:00
irc	fix: guard int(os.getenv()) casts against malformed env vars (#40598)	2026-06-07 06:14:24 -07:00
line	fix(line): map inbound message types to the correct MessageType	2026-06-04 21:55:20 -07:00
mattermost	refactor(gateway): migrate Mattermost adapter to bundled plugin	2026-05-24 18:05:33 -07:00
ntfy	test(ntfy): cover echo-tag filter; tag standalone send path	2026-05-29 13:17:46 -07:00
simplex	fix(simplex): accept display name in SIMPLEX_ALLOWED_USERS	2026-06-07 04:53:22 -07:00
teams	chore: ruff auto-fix PLR6201 resweep — tuple → set in membership tests (#27355)	2026-05-17 02:29:41 -07:00