3 files changed, 110 insertions, 2 deletions

diff --git a/api4/webhook.go b/api4/webhook.go
index 8d2c4874f..86f8bcc2e 100644
--- a/api4/webhook.go
+++ b/api4/webhook.go
@@ -23,8 +23,9 @@ func InitWebhook() {
 
 	BaseRoutes.OutgoingHooks.Handle("", ApiSessionRequired(createOutgoingHook)).Methods("POST")
 	BaseRoutes.OutgoingHooks.Handle("", ApiSessionRequired(getOutgoingHooks)).Methods("GET")
-	BaseRoutes.OutgoingHook.Handle("", ApiSessionRequired(updateOutcomingHook)).Methods("PUT")
 	BaseRoutes.OutgoingHook.Handle("", ApiSessionRequired(getOutgoingHook)).Methods("GET")
+	BaseRoutes.OutgoingHook.Handle("", ApiSessionRequired(updateOutgoingHook)).Methods("PUT")
+	BaseRoutes.OutgoingHook.Handle("", ApiSessionRequired(deleteOutgoingHook)).Methods("DELETE")
 	BaseRoutes.OutgoingHook.Handle("/regen_token", ApiSessionRequired(regenOutgoingHookToken)).Methods("POST")
 }
 
@@ -226,7 +227,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func updateOutcomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
+func updateOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) {
 	c.RequireHookId()
 	if c.Err != nil {
 		return
@@ -395,3 +396,38 @@ func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request)
 		w.Write([]byte(rhook.ToJson()))
 	}
 }
+
+func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireHookId()
+	if c.Err != nil {
+		return
+	}
+
+	hook, err := app.GetOutgoingWebhook(c.Params.HookId)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("attempt")
+
+	if !app.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS)
+		return
+	}
+
+	if c.Session.UserId != hook.CreatorId && !app.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) {
+		c.LogAudit("fail - inappropriate permissions")
+		c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS)
+		return
+	}
+
+	if err := app.DeleteOutgoingWebhook(hook.Id); err != nil {
+		c.LogAudit("fail")
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("success")
+	ReturnStatusOK(w)
+}
diff --git a/api4/webhook_test.go b/api4/webhook_test.go
index 80b03c5aa..1691b27e5 100644
--- a/api4/webhook_test.go
+++ b/api4/webhook_test.go
@@ -831,3 +831,65 @@ func TestUpdateOutgoingHook(t *testing.T) {
 		CheckUnauthorizedStatus(t, resp)
 	})
 }
+
+func TestDeleteOutgoingHook(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.SystemAdminClient
+
+	enableIncomingHooks := utils.Cfg.ServiceSettings.EnableIncomingWebhooks
+	enableAdminOnlyHooks := utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+	defer func() {
+		utils.Cfg.ServiceSettings.EnableIncomingWebhooks = enableIncomingHooks
+		utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = enableAdminOnlyHooks
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	utils.Cfg.ServiceSettings.EnableIncomingWebhooks = true
+	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true
+	utils.SetDefaultRolesBasedOnConfig()
+
+	var resp *model.Response
+	var rhook *model.OutgoingWebhook
+	var hook *model.OutgoingWebhook
+	var status bool
+
+	t.Run("WhenInvalidHookID", func(t *testing.T) {
+		status, resp = Client.DeleteOutgoingWebhook("abc")
+		CheckBadRequestStatus(t, resp)
+	})
+
+	t.Run("WhenHookDoesNotExist", func(t *testing.T) {
+		status, resp = Client.DeleteOutgoingWebhook(model.NewId())
+		CheckInternalErrorStatus(t, resp)
+	})
+
+	t.Run("WhenHookExists", func(t *testing.T) {
+		hook = &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId,
+			CallbackURLs: []string{"http://nowhere.com"}, TriggerWords: []string{"cats"}}
+		rhook, resp = Client.CreateOutgoingWebhook(hook)
+		CheckNoError(t, resp)
+
+		if status, resp = Client.DeleteOutgoingWebhook(rhook.Id); !status {
+			t.Fatal("Delete should have succeeded")
+		} else {
+			CheckOKStatus(t, resp)
+		}
+
+		// Get now should not return this deleted hook
+		_, resp = Client.GetIncomingWebhook(rhook.Id, "")
+		CheckNotFoundStatus(t, resp)
+	})
+
+	t.Run("WhenUserDoesNotHavePemissions", func(t *testing.T) {
+		hook = &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId,
+			CallbackURLs: []string{"http://nowhere.com"}, TriggerWords: []string{"dogs"}}
+		rhook, resp = Client.CreateOutgoingWebhook(hook)
+		CheckNoError(t, resp)
+
+		th.LoginBasic()
+		Client = th.Client
+
+		_, resp = Client.DeleteOutgoingWebhook(rhook.Id)
+		CheckForbiddenStatus(t, resp)
+	})
+}
diff --git a/model/client4.go b/model/client4.go
index 5b7f502e1..ae20d5293 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -1383,6 +1383,16 @@ func (c *Client4) RegenOutgoingHookToken(hookId string) (*OutgoingWebhook, *Resp
 	}
 }
 
+// DeleteOutgoingWebhook delete the outgoing webhook on the system requested by Hook Id.
+func (c *Client4) DeleteOutgoingWebhook(hookId string) (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetOutgoingWebhookRoute(hookId)); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
 // Preferences Section
 
 // GetPreferences returns the user's preferences.