Skip to content

Commit ae6c8b4

Browse files
committed
docs: trusted_member_group_ids nil-vs-[] semantics + cooldown priority; v3.9.1 changelog
1 parent 8751e0e commit ae6c8b4

3 files changed

Lines changed: 18 additions & 2 deletions

File tree

CHANGELOG.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,22 @@ All notable changes to this project are documented here. The format is based on
44
[Keep a Changelog](https://keepachangelog.com/), and this project adheres to
55
[Semantic Versioning](https://semver.org/).
66

7+
## [3.9.1] - 2026-06-23
8+
9+
### Fixed
10+
Two access-control boundary fixes on the v3.9.0 trusted-member bypass (review follow-up):
11+
- **A per-group `trusted_member_group_ids` can now explicitly DISABLE the bypass with `[]`** — the
12+
resolver distinguishes an OMITTED field (inherit the global) from an explicit empty array (opt out
13+
for that group). Previously both inherited the global, so a sensitive group couldn't opt out of a
14+
global trusted source.
15+
- **A trusted member now takes priority over the failure cooldown** — the trusted-member check runs
16+
*before* the anti-spam cooldown, so a verified member of a trusted group who had a prior failed
17+
verify is auto-approved (and their strikes cleared) instead of being silently declined by the
18+
cooldown. A confirmed trusted member whose auto-approve fails proceeds to normal verification and is
19+
NOT cooldown-declined; only a non-member / unconfirmable applicant is subject to the cooldown.
20+
- Tests: gate-level `TestJoinGate` (the cooldown ordering — the integration branch the per-function
21+
test missed) and the explicit-`[]`-disables resolver + LoadConfig cases.
22+
723
## [3.9.0] - 2026-06-23
824

925
### Added

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ Everything else lives in `config.json` (copy `config.example.json`):
9797
| `verify_retry_seconds` | a declined applicant must wait this long before re-applying (default 180; negative = no cooldown) |
9898
| `verify_max_fails` | failed verifications before an applicant is auto-banned (default 3; negative = never auto-ban) |
9999
| `required_channel_fail_open` | when the bot can't read the required channel's membership, let verified applicants through (`true`, default) or hold them back (`false`). Admins are alerted either way |
100-
| `trusted_member_group_ids` | **trusted-member bypass**: an applicant who is **already a member of any of these chats** is auto-approved without a quiz (e.g. a sub-group trusting the main group's members). **Global default; override per-group** in `groups`. Use real chat ids (groups are `-100…`); the bot must be in each listed chat to read membership (they're treated as known chats, never auto-left). Unlike a required channel this **fails closed** — if membership can't be confirmed, the applicant just does the normal verification |
100+
| `trusted_member_group_ids` | **trusted-member bypass**: an applicant who is **already a member of any of these chats** is auto-approved without a quiz (e.g. a sub-group trusting the main group's members). **Global default; per-group**: omit to inherit the global, `[]` to **disable** for that group, or list ids to override. Use real chat ids (groups are `-100…`); the bot must be in each listed chat to read membership (treated as known chats, never auto-left). A trusted member takes **priority over the failure cooldown** (they're approved + their strikes cleared even after a prior failed verify). Unlike a required channel this **fails closed** — if membership can't be confirmed the applicant just does the normal verification |
101101
| `admin_log_chat_id` | optional chat that receives a line per moderation / failed-approve event |
102102
| `overlays` | `/pkg` GitHub overlays `[{name,repo,branch}]` (default: gentoo-zh + guru) |
103103
| `news_url` | `/news` source index URL (default: gentoo.org news-items) |

README.zh-CN.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ GITHUB_TOKEN=ghp_xxx
8282
| `verify_retry_seconds` | 被拒申请人需等待多久才能重新申请(默认 180;负数 = 无冷却) |
8383
| `verify_max_fails` | 连续验证失败多少次后自动封禁(默认 3;负数 = 永不自动封禁) |
8484
| `required_channel_fail_open` | 当 bot 读不到必关频道成员状态时,放行已答题的申请人(`true`,默认)还是拦下(`false`)。两种情况都会告警管理员 |
85-
| `trusted_member_group_ids` | **可信成员免验证**:申请人若**已经是这些群之一的成员**,直接批准、跳过答题(例:子群信任主群的成员)。**全局默认,可在 `groups` 里按群覆盖**。用真实 chat id(群是 `-100…`);bot 必须在每个列出的群里才能读成员状态(它们会被当作已知聊天、不会被自动退出)。与必关频道不同,这里**fail-closed**——读不到成员身份就走正常验证,绝不直接放行 |
85+
| `trusted_member_group_ids` | **可信成员免验证**:申请人若**已经是这些群之一的成员**,直接批准、跳过答题(例:子群信任主群的成员)。**全局默认;按群**:省略=继承全局,写 `[]`=本群**关闭**,写 id 列表=覆盖全局。用真实 chat id(群是 `-100…`);bot 必须在每个列出的群里才能读成员状态(当作已知聊天、不会被自动退出)。可信成员**优先于失败冷却**(即使之前验证失败被冷却,也会被直接放行并清空 strike)。与必关频道不同,这里**fail-closed**——读不到成员身份就走正常验证,绝不直接放行 |
8686
| `admin_log_chat_id` | 可选:接收每次管理操作 / 批准失败的日志 |
8787
| `overlays` | `/pkg` 的 GitHub overlay `[{name,repo,branch}]`(默认 gentoo-zh + guru) |
8888
| `news_url` | `/news` 源索引 URL(默认 gentoo.org) |

0 commit comments

Comments
 (0)