core
core copied to clipboard
php-telegram-bot
User Authorized Feature
Required Information
- PHP version: 5.5
- PHP Telegram Bot version: 0.40.0
- Using MySQL database: yes
- Update Method: getUpdates
- Self-signed certificate: no
- RAW update (if available):
I would like to suggest you a new feature: "user access grant". Only the users enabled can access to the BOT commands. For the backward compatibility with your code I create a new table (user_profile) with the user_id, isEnable flag (Y/N), profile (future use).
Change in DB.php:
in the "insertUser" method I add the user profile (INSERT INTO user_profile table) with the default values: isEnable = 'N' and profile = NULL
I create a new method "isUserEnable" input param "user_id" and returned value a boolean. Select the "isEnable" and if "Y" return true, else false.
Change in Telegram.php:
processUpdate method, before the "executeCommand" check the user permission with the call of DB method "isUserEnable". If enabled execute the command, if not message with "user not allowed" or something like that.
Doing something like this before initializing the bot can do the same thing:
$POST = file_get_contents("php://input");
$POST_DATA = json_decode($POST, true);
$user_id = null;
if (isset($POST_DATA['callback_query']['from']['id'])) {
$user_id = $POST_DATA['callback_query']['from']['id'];
} elseif (isset($POST_DATA['inline_query']['from']['id'])) {
$user_id = $POST_DATA['inline_query']['from']['id'];
} elseif (isset($POST_DATA['chosen_inline_result']['from']['id'])) {
$user_id = $POST_DATA['chosen_inline_result']['from']['id'];
} elseif (isset($POST_DATA['message']['from']['id'])) {
$user_id = $POST_DATA['message']['from']['id'];
} elseif (isset($POST_DATA['edited_message']['from']['id'])) {
$user_id = $POST_DATA['edited_message']['from']['id'];
} elseif (isset($POST_DATA['channel_post']['from']['id'])) {
$user_id = $POST_DATA['channel_post']['from']['id'];
} elseif (isset($POST_DATA['edited_channel_post']['from']['id'])) {
$user_id = $POST_DATA['edited_channel_post']['from']['id'];
}
if(!is_null($user_id) {
//query the db with smth like SELECT FROM `whitelist` WHERE `id` = ' . $user_id
// and if no records are found simply exit; and the request will be ignored!
}
@DragoGold Welcome to GitHub!! Great to have you here contributing 😃
I really like the idea of a more detailed authorisation process, allow more customisations to the bot and its commands.
What you're suggesting, is basically a blocking/banning system, right? There is just an isEnabled field, either executing or ignoring the request.
What would make sense, is a more detailed approach, allowing for total customisation.
For example: user1 can execute A, B and C, user2 can only execute B, everyone else can't do anything.
Borrowing from the way WordPress implements this, a user_authorized() method somewhere could be used for this. We could add the authorisation configuration to the hook, similar to other settings etc. that would then be loaded and evaluated when needed (in the command execute()).
This wouldn't require any database changes, but it would be possible to save it there too. Just trying to keep the library as light as possible.
@jacklul A great and simple approach 👍 The only downside is the access to the DB needs to be made manually, thus duplicating some code... Huge upside though, is that the bot code doesn't even get touched if the access isn't allowed.
(semi off topic, @jacklul your code can be optimised and prettified quite a bit)
@noplanman thanks for your welcome message! You're right about:
What would make sense, is a more detailed approach, allowing for total
For that reason I added the "profile" field in the new table. Using the "profile" it's possible to customize the user grants, using it also for Admin role.
Now, for my business, I'm customizing the library but I'm not a master in PHP and I'm pretty sure that my code it's not clean and OO like your code.
Thanks Riccardo
I'm not a master in PHP and I'm pretty sure that my code it's not clean and OO like your code.
No problem at all 😃 If we decide to add such a feature, feel free to open a PR and we'll perfect it together.
@jacklul @MBoretto @akalongman What do you think about this?
guys, this is a great idea with a more detailed authorisation! is this implemented yet?
