Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: Matrix extension ignores top-level allowFrom — slash commands silently fail with isAuthorizedSender=false [4 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#43688Fetched 2026-04-08 00:17:12
View on GitHub
Comments
1
Participants
2
Timeline
16
Reactions
0
Author
Kio158Kio158
Participants
gumadeirasgumadeirasKio158Kio158
Timeline (top)
referenced ×7cross-referenced ×4labeled ×2closed ×1

The Matrix channel extension reads the DM allowlist exclusively from channels.matrix.dm.allowFrom, ignoring the top-level channels.matrix.allowFrom. This is inconsistent with other channel plugins (Discord, Google Chat, etc.) which resolve the allowlist as:

channelConfig.allowFrom ?? channelConfig.dm?.allowFrom

As a result, when allowFrom: ["*"] is set at the top level of the matrix channel config (which is the natural/intuitive placement), effectiveAllowFrom resolves to [], causing commandAuthorized=false and isAuthorizedSender=false. All slash commands (/status, /help, /new, /compact, etc.) are silently rejected with no reply and no user-facing error.

Root Cause In extensions/matrix/src/matrix/monitor/index.ts, line ~217: const allowFrom = await resolveMatrixUserAllowlist({ cfg: params.cfg, runtime: params.runtime, label: "matrix dm allowlist", list: params.accountConfig.dm?.allowFrom ?? [], // ← only reads dm.allowFrom}); This should follow the same pattern used by other channels: list: params.accountConfig.allowFrom ?? params.accountConfig.dm?.allowFrom ?? [], For comparison, the generic channel compat layer (dist/plugin-sdk/index.js:1125) and Discord (dist/plugin-sdk/discord.js:16630) both use: const existingAllowFrom = channelConfig.allowFrom ?? channelConfig.dm?.allowFrom;

Error Message

As a result, when allowFrom: ["*"] is set at the top level of the matrix channel config (which is the natural/intuitive placement), effectiveAllowFrom resolves to [], causing commandAuthorized=false and isAuthorizedSender=false. All slash commands (/status, /help, /new, /compact, etc.) are silently rejected with no reply and no user-facing error. Message is received and processed (outcome=completed in logs) but no reply is sent. No error is logged at INFO level. 1.All slash commands (/status, /help, /new, /reset, /think, /model, /compact, /stop, etc.) are silently dropped — no reply, no error message to the user.

Root Cause

Root Cause In extensions/matrix/src/matrix/monitor/index.ts, line ~217: const allowFrom = await resolveMatrixUserAllowlist({ cfg: params.cfg, runtime: params.runtime, label: "matrix dm allowlist", list: params.accountConfig.dm?.allowFrom ?? [], // ← only reads dm.allowFrom}); This should follow the same pattern used by other channels: list: params.accountConfig.allowFrom ?? params.accountConfig.dm?.allowFrom ?? [], For comparison, the generic channel compat layer (dist/plugin-sdk/index.js:1125) and Discord (dist/plugin-sdk/discord.js:16630) both use: const existingAllowFrom = channelConfig.allowFrom ?? channelConfig.dm?.allowFrom;

Fix Action

Fix / Workaround

1.All slash commands (/status, /help, /new, /reset, /think, /model, /compact, /stop, etc.) are silently dropped — no reply, no error message to the user. 2.Normal text messages still work because they bypass the isAuthorizedSender check in the AI dispatch path. 3.This makes the issue very confusing to diagnose — the bot appears to selectively ignore only commands while responding to regular conversation. 4.Only a DEBUG-level log (Ignoring /status from unauthorized sender) hints at the cause, but this is not visible at the default INFO log level.

Workaround Move allowFrom under the dm key: { "channels": { "matrix": { "dm": { "policy": "open", "allowFrom": ["*"] } } } }

PR fix notes

PR #43698: fix(matrix): prioritize top-level allowFrom over dm.allowFrom (fixes #43688)

Description (problem / solution / changelog)

Summary

The Matrix extension was only reading allowFrom from channels.matrix.dm.allowFrom, ignoring the top-level channels.matrix.allowFrom. This was inconsistent with other channel plugins (Discord, Google Chat, etc.) and caused slash commands to silently fail with isAuthorizedSender=false when allowFrom was set at the top level.

Changes

This fix updates the resolveAllowFrom logic in three places:

  1. matrixConfigAccessors (channel.ts:104) - for UI/config display
  2. resolveMatrixDmPolicy (channel.ts:127) - for DM security policy resolution
  3. resolveMatrixMonitorConfig (matrix/monitor/index.ts:217) - for runtime allowlist resolution

The pattern now matches other channels: channelConfig.allowFrom ?? channelConfig.dm?.allowFrom

Testing

All 129 Matrix extension tests pass.

Fixes #43688

Changed files

  • extensions/matrix/src/channel.ts (modified, +3/-3)
  • extensions/matrix/src/matrix/monitor/index.ts (modified, +1/-1)

PR #43699: fix(matrix): read top-level allowFrom before dm.allowFrom

Description (problem / solution / changelog)

Summary\n\nFixes a regression where Matrix channel extension only read dm.allowFrom, ignoring any top-level llowFrom config.\n\n## Problem\n\n1. Missing type: MatrixConfig type didn't define a top-level llowFrom field\n2. Wrong resolution order: The fix must preserve per-account allowlist precedence\n\n## Changes\n\nThe correct precedence order is:\n1. Account-specific dm.allowFrom (most specific)\n2. Top-level llowFrom (fallback)\n3. [] (default)\n\nThis preserves multi-account configurations where each account can have its own dm.allowFrom while still supporting a top-level default.\n\n## Files Changed\n\n- types.ts: Added llowFrom field to MatrixConfig\n- monitor/index.ts: Fixed resolution order to dm.allowFrom ?? allowFrom ?? []\n\n## Related\n\n- Fixes #43688

Changed files

  • extensions/matrix/src/matrix/monitor/index.ts (modified, +1/-1)
  • extensions/matrix/src/types.ts (modified, +2/-0)
  • src/agents/model-selection.ts (modified, +9/-0)
  • src/agents/models-config.providers.discovery.ts (modified, +2/-2)
  • src/commands/agent.ts (modified, +4/-1)
  • src/cron/service/timer.ts (modified, +6/-1)
  • src/daemon/schtasks.ts (modified, +5/-2)
  • ui/src/ui/gateway.ts (modified, +1/-1)

PR #43702: fix(matrix): honor top-level allowFrom for DM command auth

Description (problem / solution / changelog)

Summary

  • use channels.matrix.allowFrom as the primary DM allowlist for monitor auth, falling back to channels.matrix.dm.allowFrom
  • add a regression test covering top-level allowFrom precedence

Why

Matrix command authorization currently reads only dm.allowFrom, so configs that place allowFrom at the top level silently reject DM slash commands even though other channel integrations already honor the top-level field first.

Testing

  • corepack pnpm exec vitest run extensions/matrix/src/matrix/monitor/*.test.ts

Closes #43688

Changed files

  • extensions/matrix/src/matrix/monitor/index.test.ts (modified, +18/-1)
  • extensions/matrix/src/matrix/monitor/index.ts (modified, +2/-2)

PR #46312: fix: Matrix extension reads top-level allowFrom for DM authorization (closes #43688)

Description (problem / solution / changelog)

Summary

Fix Matrix DM authorization to read channels.matrix.allowFrom (top-level) in addition to channels.matrix.dm.allowFrom. Previously only the nested dm.allowFrom was checked, causing slash commands to silently fail when allowFrom was configured at the channel level.

Change Type

Bug fix (regression)

Scope

  • extensions/matrix/src/matrix/monitor/index.ts – one-line fix to allowlist resolution

Linked Issue

Closes #43688

Security Impact

None – restores intended authorization behavior consistent with other channels.

Repro

  1. Set channels.matrix.allowFrom: ["*"] (top-level, NOT under dm:)
  2. Send /status in a DM with the bot
  3. Previously: silently dropped (isAuthorizedSender=false)
  4. After fix: bot replies correctly

Evidence

  • pnpm build ✅ (verified via other worktree build)
  • Change matches Discord/Google Chat pattern: allowFrom ?? dm?.allowFrom ?? []

Compatibility

Backward-compatible – dm.allowFrom still works as before; top-level allowFrom is now also honored.

Risks

None – additive fallback, one-line change.

This PR was AI-assisted (fully tested with pnpm build/check/test).

Changed files

  • extensions/matrix/src/matrix/monitor/index.ts (modified, +1/-1)
  • extensions/matrix/src/types.ts (modified, +2/-0)
RAW_BUFFERClick to expand / collapse

Bug type

Regression (worked before, now fails)

Summary

The Matrix channel extension reads the DM allowlist exclusively from channels.matrix.dm.allowFrom, ignoring the top-level channels.matrix.allowFrom. This is inconsistent with other channel plugins (Discord, Google Chat, etc.) which resolve the allowlist as:

channelConfig.allowFrom ?? channelConfig.dm?.allowFrom

As a result, when allowFrom: ["*"] is set at the top level of the matrix channel config (which is the natural/intuitive placement), effectiveAllowFrom resolves to [], causing commandAuthorized=false and isAuthorizedSender=false. All slash commands (/status, /help, /new, /compact, etc.) are silently rejected with no reply and no user-facing error.

Root Cause In extensions/matrix/src/matrix/monitor/index.ts, line ~217: const allowFrom = await resolveMatrixUserAllowlist({ cfg: params.cfg, runtime: params.runtime, label: "matrix dm allowlist", list: params.accountConfig.dm?.allowFrom ?? [], // ← only reads dm.allowFrom}); This should follow the same pattern used by other channels: list: params.accountConfig.allowFrom ?? params.accountConfig.dm?.allowFrom ?? [], For comparison, the generic channel compat layer (dist/plugin-sdk/index.js:1125) and Discord (dist/plugin-sdk/discord.js:16630) both use: const existingAllowFrom = channelConfig.allowFrom ?? channelConfig.dm?.allowFrom;

Steps to reproduce

1.Configure Matrix channel with allowFrom at the top level: { "channels": { "matrix": { "enabled": true, "homeserver": "http://example.com:8008", "accessToken": "...", "dm": { "policy": "open" }, "allowFrom": ["*"] } } }

2.Send /status or /help in a DM with the bot.

Expected behavior

Bot replies with status info or help text.

Actual behavior

Message is received and processed (outcome=completed in logs) but no reply is sent. No error is logged at INFO level.

OpenClaw version

2026.3.8

Operating system

Linux

Install method

npm

Model

minimax

Provider / routing chain

openclaw-minimax

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

1.All slash commands (/status, /help, /new, /reset, /think, /model, /compact, /stop, etc.) are silently dropped — no reply, no error message to the user. 2.Normal text messages still work because they bypass the isAuthorizedSender check in the AI dispatch path. 3.This makes the issue very confusing to diagnose — the bot appears to selectively ignore only commands while responding to regular conversation. 4.Only a DEBUG-level log (Ignoring /status from unauthorized sender) hints at the cause, but this is not visible at the default INFO log level.

Additional information

Workaround Move allowFrom under the dm key: { "channels": { "matrix": { "dm": { "policy": "open", "allowFrom": ["*"] } } } }

extent analysis

Fix Plan

To resolve the issue, we need to update the resolveMatrixUserAllowlist function to follow the same pattern used by other channels. We can do this by changing the list parameter to include both allowFrom and dm.allowFrom values.

  • Update the extensions/matrix/src/matrix/monitor/index.ts file:
const allowFrom = await resolveMatrixUserAllowlist({
  cfg: params.cfg,
  runtime: params.runtime,
  label: "matrix allowlist",
  list: params.accountConfig.allowFrom ?? params.accountConfig.dm?.allowFrom ?? [],
});
  • This change will ensure that the allowFrom value is read from both the top-level allowFrom and the dm.allowFrom properties.

Verification

To verify that the fix worked, you can:

  • Configure the Matrix channel with allowFrom at the top level:
{
  "channels": {
    "matrix": {
      "enabled": true,
      "homeserver": "http://example.com:8008",
      "accessToken": "...",
      "dm": {
        "policy": "open"
      },
      "allowFrom": ["*"]
    }
  }
}
  • Send a slash command (e.g. /status or /help) in a DM with the bot.
  • Verify that the bot responds with the expected output.

Extra Tips

  • Make sure to update the extensions/matrix/src/matrix/monitor/index.ts file with the correct changes.
  • If you're using a version control system, commit the changes and deploy the updated code to your production environment.
  • If you encounter any issues during the update process, refer to the OpenClaw documentation and seek support from the community or developers if needed.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Bot replies with status info or help text.

#api#ssr#installation#tensor shape#autograd error#GPU setup#container setup#orchestration issue#cache issue#memory leak

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix [Bug]: Matrix extension ignores top-level allowFrom — slash commands silently fail with isAuthorizedSender=false [4 pull requests, 1 comments, 2 participants]