Access Control Design

If you've got this far by following the steps in this blog then you have a telegram bot (with an access token) & have created a command (/getID) & wired in a response from your bot that returns the chatId of whever sent the command. That's great - your only returning info that the originator had sent to your bot, but it's not as private or controllable as you might want.

Limiting access to the bot can be done within the configuration of the NodeRed telegrambot itself. However, that is an all or nothing process. If you can send a command then for example so can the whole of your family. You might want to prevent the kids from being able to execute some of the commands, while letting your wife have access to most of them & reserving the most dangerous ones for you alone as admin. Or you might want to change the access rights as the kids get older.

The access control is based on chatId & a permission level. If you don't have a recognised chatId then you can't get any action from any commands that have control in place. If you do have access permission then your chatId determines which commands you can execute - if your chatId has a permission greater than or equal to the permission level of the command then you can run it.

All of this is going to need a database, which NodeRed can access. You might have noticed that this was part of the Portainer Stack for NodeRed despite it not actually being needed for pure NodeRed itself. Now you know why.

Next post about Access Control