diff options
| author | Jesús Espino <jespinog@gmail.com> | 2018-03-07 14:54:47 +0000 |
|---|---|---|
| committer | George Goldberg <george@gberg.me> | 2018-03-07 14:54:47 +0000 |
| commit | b66e4bc932ed76c1cfd2b5f4ec0cfce70cd9fbb4 (patch) | |
| tree | fefa8988b067434ef86ee9be29208c40be2c3d39 /api4/webhook.go | |
| parent | 901acc9703ae58b625b44e7abfd02333b9bab951 (diff) | |
| download | chat-b66e4bc932ed76c1cfd2b5f4ec0cfce70cd9fbb4.tar.gz chat-b66e4bc932ed76c1cfd2b5f4ec0cfce70cd9fbb4.tar.bz2 chat-b66e4bc932ed76c1cfd2b5f4ec0cfce70cd9fbb4.zip | |
MM-8830 Consistent Incomming/Outgoing webhooks permissions (#8335)
Diffstat (limited to 'api4/webhook.go')
| -rw-r--r-- | api4/webhook.go | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/api4/webhook.go b/api4/webhook.go index e19f14704..dcbf6c2af 100644 --- a/api4/webhook.go +++ b/api4/webhook.go @@ -194,10 +194,16 @@ func getIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { c.LogAudit("fail - bad permissions") c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) return - } else { - w.Write([]byte(hook.ToJson())) + } + + if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + c.LogAudit("fail - inappropriate permissions") + c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) return } + + w.Write([]byte(hook.ToJson())) + return } } @@ -228,14 +234,20 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { c.LogAudit("fail - bad permissions") c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) return - } else { - if err = c.App.DeleteIncomingWebhook(hookId); err != nil { - c.Err = err - return - } + } - ReturnStatusOK(w) + if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + c.LogAudit("fail - inappropriate permissions") + c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) + return } + + if err = c.App.DeleteIncomingWebhook(hookId); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) } } |