Skip to content

User Authorized Feature #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DragoGold opened this issue Mar 7, 2017 · 6 comments
Open

User Authorized Feature #424

DragoGold opened this issue Mar 7, 2017 · 6 comments
Labels
feature request

Comments

@DragoGold
Copy link

Required Information

  • PHP version: 5.5
  • PHP Telegram Bot version: 0.40.0
  • Using MySQL database: yes
  • Update Method: getUpdates
  • Self-signed certificate: no
  • RAW update (if available):

I would like to suggest you a new feature: "user access grant".
Only the users enabled can access to the BOT commands.
For the backward compatibility with your code I create a new table (user_profile) with the user_id, isEnable flag (Y/N), profile (future use).

Change in DB.php:

in the "insertUser" method I add the user profile (INSERT INTO user_profile table) with the default values: isEnable = 'N' and profile = NULL

I create a new method "isUserEnable" input param "user_id" and returned value a boolean. Select the "isEnable" and if "Y" return true, else false.

Change in Telegram.php:

processUpdate method, before the "executeCommand" check the user permission with the call of DB method "isUserEnable". If enabled execute the command, if not message with "user not allowed" or something like that.
@jacklul
Copy link
Collaborator

jacklul commented Mar 7, 2017
edited
Loading

Doing something like this before initializing the bot can do the same thing:

$POST = file_get_contents("php://input");
$POST_DATA = json_decode($POST, true);

$user_id = null;
if (isset($POST_DATA['callback_query']['from']['id'])) {
    $user_id = $POST_DATA['callback_query']['from']['id'];
} elseif (isset($POST_DATA['inline_query']['from']['id'])) {
    $user_id = $POST_DATA['inline_query']['from']['id'];
} elseif (isset($POST_DATA['chosen_inline_result']['from']['id'])) {
    $user_id = $POST_DATA['chosen_inline_result']['from']['id'];
} elseif (isset($POST_DATA['message']['from']['id'])) {
    $user_id = $POST_DATA['message']['from']['id'];
} elseif (isset($POST_DATA['edited_message']['from']['id'])) {
    $user_id = $POST_DATA['edited_message']['from']['id'];
} elseif (isset($POST_DATA['channel_post']['from']['id'])) {
    $user_id = $POST_DATA['channel_post']['from']['id'];
} elseif (isset($POST_DATA['edited_channel_post']['from']['id'])) {
    $user_id = $POST_DATA['edited_channel_post']['from']['id'];
}

if(!is_null($user_id) {
   //query the db with smth like SELECT FROM `whitelist` WHERE `id` = ' . $user_id
   // and if no records are found simply exit; and the request will be ignored!
}

@noplanman
Copy link
Member

noplanman commented Mar 7, 2017
edited
Loading

@DragoGold Welcome to GitHub!! Great to have you here contributing 😃

I really like the idea of a more detailed authorisation process, allow more customisations to the bot and its commands.
What you're suggesting, is basically a blocking/banning system, right? There is just an isEnabled field, either executing or ignoring the request.
What would make sense, is a more detailed approach, allowing for total customisation.

For example: user1 can execute A, B and C, user2 can only execute B, everyone else can't do anything.

Borrowing from the way WordPress implements this, a user_authorized() method somewhere could be used for this. We could add the authorisation configuration to the hook, similar to other settings etc. that would then be loaded and evaluated when needed (in the command execute()).

This wouldn't require any database changes, but it would be possible to save it there too.
Just trying to keep the library as light as possible.

@jacklul A great and simple approach 👍
The only downside is the access to the DB needs to be made manually, thus duplicating some code...
Huge upside though, is that the bot code doesn't even get touched if the access isn't allowed.

(semi off topic, @jacklul your code can be optimised and prettified quite a bit)

@DragoGold
Copy link
Author

@noplanman thanks for your welcome message!
You're right about:

What would make sense, is a more detailed approach, allowing for total

For that reason I added the "profile" field in the new table.
Using the "profile" it's possible to customize the user grants, using it also for Admin role.

Now, for my business, I'm customizing the library but I'm not a master in PHP and I'm pretty sure that my code it's not clean and OO like your code.

Thanks
Riccardo

@noplanman
Copy link
Member

I'm not a master in PHP and I'm pretty sure that my code it's not clean and OO like your code.

No problem at all 😃
If we decide to add such a feature, feel free to open a PR and we'll perfect it together.

@jacklul @MBoretto @akalongman What do you think about this?

@Leonid74
Copy link

guys, this is a great idea with a more detailed authorisation!
is this implemented yet?

@noplanman
Copy link
Member

@Leonid74 Not yet...
Here is another related issue #613

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@akalongman @jacklul @noplanman @DragoGold @Leonid74