12 files changed, 158 insertions, 10 deletions

diff --git a/config/config.json b/config/config.json
index 48514e1a4..b14175372 100644
--- a/config/config.json
+++ b/config/config.json
@@ -6,6 +6,8 @@
         "GoogleDeveloperKey": "",
         "EnableOAuthServiceProvider": false,
         "EnableIncomingWebhooks": true,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
         "EnableTesting": false
     },
     "TeamSettings": {
@@ -87,4 +89,4 @@
         "TokenEndpoint": "",
         "UserApiEndpoint": ""
     }
-}
\ No newline at end of file
+}
diff --git a/docker/dev/config_docker.json b/docker/dev/config_docker.json
index 2611a63ce..ef91a21ea 100644
--- a/docker/dev/config_docker.json
+++ b/docker/dev/config_docker.json
@@ -6,6 +6,8 @@
         "GoogleDeveloperKey": "",
         "EnableOAuthServiceProvider": false,
         "EnableIncomingWebhooks": true,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
         "EnableTesting": false
     },
     "TeamSettings": {
diff --git a/docker/local/config_docker.json b/docker/local/config_docker.json
index 2611a63ce..ef91a21ea 100644
--- a/docker/local/config_docker.json
+++ b/docker/local/config_docker.json
@@ -6,6 +6,8 @@
         "GoogleDeveloperKey": "",
         "EnableOAuthServiceProvider": false,
         "EnableIncomingWebhooks": true,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
         "EnableTesting": false
     },
     "TeamSettings": {
diff --git a/model/config.go b/model/config.go
index 35ceb7f4a..c67b36063 100644
--- a/model/config.go
+++ b/model/config.go
@@ -29,6 +29,8 @@ type ServiceSettings struct {
 	GoogleDeveloperKey         string
 	EnableOAuthServiceProvider bool
 	EnableIncomingWebhooks     bool
+	EnablePostUsernameOverride bool
+	EnablePostIconOverride     bool
 	EnableTesting              bool
 }
 
diff --git a/utils/config.go b/utils/config.go
index 3218211e3..44c4c43af 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -184,6 +184,8 @@ func getClientProperties(c *model.Config) map[string]string {
 	props["SegmentDeveloperKey"] = c.ServiceSettings.SegmentDeveloperKey
 	props["GoogleDeveloperKey"] = c.ServiceSettings.GoogleDeveloperKey
 	props["EnableIncomingWebhooks"] = strconv.FormatBool(c.ServiceSettings.EnableIncomingWebhooks)
+	props["EnablePostUsernameOverride"] = strconv.FormatBool(c.ServiceSettings.EnablePostUsernameOverride)
+	props["EnablePostIconOverride"] = strconv.FormatBool(c.ServiceSettings.EnablePostIconOverride)
 
 	props["SendEmailNotifications"] = strconv.FormatBool(c.EmailSettings.SendEmailNotifications)
 	props["EnableSignUpWithEmail"] = strconv.FormatBool(c.EmailSettings.EnableSignUpWithEmail)
diff --git a/web/react/components/admin_console/service_settings.jsx b/web/react/components/admin_console/service_settings.jsx
index 245ffa871..b2d1b7b4d 100644
--- a/web/react/components/admin_console/service_settings.jsx
+++ b/web/react/components/admin_console/service_settings.jsx
@@ -37,6 +37,8 @@ export default class ServiceSettings extends React.Component {
         config.ServiceSettings.GoogleDeveloperKey = React.findDOMNode(this.refs.GoogleDeveloperKey).value.trim();
         //config.ServiceSettings.EnableOAuthServiceProvider = React.findDOMNode(this.refs.EnableOAuthServiceProvider).checked;
         config.ServiceSettings.EnableIncomingWebhooks = React.findDOMNode(this.refs.EnableIncomingWebhooks).checked;
+        config.ServiceSettings.EnablePostUsernameOverride = React.findDOMNode(this.refs.EnablePostUsernameOverride).checked;
+        config.ServiceSettings.EnablePostIconOverride = React.findDOMNode(this.refs.EnablePostIconOverride).checked;
         config.ServiceSettings.EnableTesting = React.findDOMNode(this.refs.EnableTesting).checked;
 
         var MaximumLoginAttempts = 10;
@@ -199,7 +201,73 @@ export default class ServiceSettings extends React.Component {
                                 />
                                     {'false'}
                             </label>
-                            <p className='help-text'>{'When true, incoming webhooks will be allowed.'}</p>
+                            <p className='help-text'>{'When true, incoming webhooks will be allowed. To help combat phishing attacks, all posts from webhooks will be labelled by a BOT tag.'}</p>
+                        </div>
+                    </div>
+
+                     <div className='form-group'>
+                        <label
+                            className='control-label col-sm-4'
+                            htmlFor='EnablePostUsernameOverride'
+                        >
+                            {'Enable Overriding Usernames from Webhooks: '}
+                        </label>
+                        <div className='col-sm-8'>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostUsernameOverride'
+                                    value='true'
+                                    ref='EnablePostUsernameOverride'
+                                    defaultChecked={this.props.config.ServiceSettings.EnablePostUsernameOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'true'}
+                            </label>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostUsernameOverride'
+                                    value='false'
+                                    defaultChecked={!this.props.config.ServiceSettings.EnablePostUsernameOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'false'}
+                            </label>
+                            <p className='help-text'>{'When true, webhooks will be allowed to change the username they are posting as. Note, combined with allowing icon overriding, this could open users up to phishing attacks.'}</p>
+                        </div>
+                    </div>
+
+                     <div className='form-group'>
+                        <label
+                            className='control-label col-sm-4'
+                            htmlFor='EnablePostIconOverride'
+                        >
+                            {'Enable Overriding Icon from Webhooks: '}
+                        </label>
+                        <div className='col-sm-8'>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostIconOverride'
+                                    value='true'
+                                    ref='EnablePostIconOverride'
+                                    defaultChecked={this.props.config.ServiceSettings.EnablePostIconOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'true'}
+                            </label>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostIconOverride'
+                                    value='false'
+                                    defaultChecked={!this.props.config.ServiceSettings.EnablePostIconOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'false'}
+                            </label>
+                            <p className='help-text'>{'When true, webhooks will be allowed to change the icon they post with. Note, combined with allowing username overriding, this could open users up to phishing attacks.'}</p>
                         </div>
                     </div>
 
diff --git a/web/react/components/post.jsx b/web/react/components/post.jsx
index 9127f00de..ac9c9252e 100644
--- a/web/react/components/post.jsx
+++ b/web/react/components/post.jsx
@@ -158,11 +158,18 @@ export default class Post extends React.Component {
 
         var profilePic = null;
         if (!this.props.hideProfilePic) {
+            let src = '/api/v1/users/' + post.user_id + '/image?time=' + timestamp;
+            if (post.props && post.props.from_webhook && global.window.config.EnablePostIconOverride === 'true') {
+                if (post.props.override_icon_url) {
+                    src = post.props.override_icon_url;
+                }
+            }
+
             profilePic = (
                 <div className='post-profile-img__container'>
                     <img
                         className='post-profile-img'
-                        src={'/api/v1/users/' + post.user_id + '/image?time=' + timestamp}
+                        src={src}
                         height='36'
                         width='36'
                     />
diff --git a/web/react/components/post_header.jsx b/web/react/components/post_header.jsx
index 9dc525e03..dd79b3e36 100644
--- a/web/react/components/post_header.jsx
+++ b/web/react/components/post_header.jsx
@@ -12,9 +12,27 @@ export default class PostHeader extends React.Component {
     render() {
         var post = this.props.post;
 
+        let userProfile = <UserProfile userId={post.user_id} />;
+        let botIndicator;
+
+        if (post.props && post.props.from_webhook) {
+            if (post.props.override_username && global.window.config.EnablePostUsernameOverride === 'true') {
+                userProfile = (
+                    <UserProfile
+                        userId={post.user_id}
+                        overwriteName={post.props.override_username}
+                        disablePopover={true}
+                    />
+                );
+            }
+
+            botIndicator = <li className='post-header-col post-header__name bot-indicator'>{'BOT'}</li>;
+        }
+
         return (
             <ul className='post-header post-header-post'>
-                <li className='post-header-col post-header__name'><strong><UserProfile userId={post.user_id} /></strong></li>
+                <li className='post-header-col post-header__name'><strong>{userProfile}</strong></li>
+                {botIndicator}
                 <li className='post-info--hidden'>
                     <PostInfo
                         post={post}
diff --git a/web/react/components/post_list.jsx b/web/react/components/post_list.jsx
index a31967257..b90197ac4 100644
--- a/web/react/components/post_list.jsx
+++ b/web/react/components/post_list.jsx
@@ -516,8 +516,19 @@ export default class PostList extends React.Component {
 
                 sameRoot = utils.isComment(post) && (prevPost.id === post.root_id || prevPost.root_id === post.root_id);
 
-                // we only hide the profile pic if the previous post is not a comment, the current post is not a comment, and the previous post was made by the same user as the current post
-                hideProfilePic = (prevPost.user_id === post.user_id) && !utils.isComment(prevPost) && !utils.isComment(post);
+                // hide the profile pic if:
+                //     the previous post was made by the same user as the current post,
+                //     the previous post is not a comment,
+                //     the current post is not a comment,
+                //     the current post is not from a webhook
+                //     and the previous post is not from a webhook
+                if ((prevPost.user_id === post.user_id) &&
+                        !utils.isComment(prevPost) &&
+                        !utils.isComment(post) &&
+                        (!post.props || !post.props.from_webhook) &&
+                        (!prevPost.props || !prevPost.props.from_webhook)) {
+                    hideProfilePic = true;
+                }
             }
 
             // check if it's the last comment in a consecutive string of comments on the same post
diff --git a/web/react/components/user_profile.jsx b/web/react/components/user_profile.jsx
index c5d028d31..ceb8f52a7 100644
--- a/web/react/components/user_profile.jsx
+++ b/web/react/components/user_profile.jsx
@@ -31,8 +31,10 @@ export default class UserProfile extends React.Component {
     }
     componentDidMount() {
         UserStore.addChangeListener(this.onChange);
-        $('#profile_' + this.uniqueId).popover({placement: 'right', container: 'body', trigger: 'hover', html: true, delay: {show: 200, hide: 100}});
-        $('body').tooltip({selector: '[data-toggle=tooltip]', trigger: 'hover click'});
+        if (!this.props.disablePopover) {
+            $('#profile_' + this.uniqueId).popover({placement: 'right', container: 'body', trigger: 'hover', html: true, delay: {show: 200, hide: 100}});
+            $('body').tooltip({selector: '[data-toggle=tooltip]', trigger: 'hover click'});
+        }
     }
     componentWillUnmount() {
         UserStore.removeChangeListener(this.onChange);
@@ -56,6 +58,10 @@ export default class UserProfile extends React.Component {
             name = this.props.overwriteName;
         }
 
+        if (this.props.disablePopover) {
+            return <div>{name}</div>;
+        }
+
         var dataContent = '<img class="user-popover__image" src="/api/v1/users/' + this.state.profile.id + '/image?time=' + this.state.profile.update_at + '" height="128" width="128" />';
         if (!global.window.config.ShowEmailAddress === 'true') {
             dataContent += '<div class="text-nowrap">Email not shared</div>';
@@ -79,9 +85,11 @@ export default class UserProfile extends React.Component {
 
 UserProfile.defaultProps = {
     userId: '',
-    overwriteName: ''
+    overwriteName: '',
+    disablePopover: false
 };
 UserProfile.propTypes = {
     userId: React.PropTypes.string,
-    overwriteName: React.PropTypes.string
+    overwriteName: React.PropTypes.string,
+    disablePopover: React.PropTypes.bool
 };
diff --git a/web/sass-files/sass/partials/_post.scss b/web/sass-files/sass/partials/_post.scss
index 7532875d6..8bf4b0534 100644
--- a/web/sass-files/sass/partials/_post.scss
+++ b/web/sass-files/sass/partials/_post.scss
@@ -509,3 +509,11 @@ body.ios {
 		}
 	}
 }
+
+.bot-indicator {
+    background-color: lightgrey;
+    border-radius:2px;
+    padding-left:2px;
+    padding-right:2px;
+    font-family:"Courier New"
+}
diff --git a/web/web.go b/web/web.go
index e440699b2..a1bbf5a81 100644
--- a/web/web.go
+++ b/web/web.go
@@ -884,6 +884,12 @@ func getAccessToken(c *api.Context, w http.ResponseWriter, r *http.Request) {
 }
 
 func incomingWebhook(c *api.Context, w http.ResponseWriter, r *http.Request) {
+	if !utils.Cfg.ServiceSettings.EnableIncomingWebhooks {
+		c.Err = model.NewAppError("incomingWebhook", "Incoming webhooks have been disabled by the system admin.", "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
 	params := mux.Vars(r)
 	id := params["id"]
 
@@ -906,6 +912,9 @@ func incomingWebhook(c *api.Context, w http.ResponseWriter, r *http.Request) {
 
 	channelName := props["channel"]
 
+	overrideUsername := props["username"]
+	overrideIconUrl := props["icon_url"]
+
 	var hook *model.IncomingWebhook
 	if result := <-hchan; result.Err != nil {
 		c.Err = model.NewAppError("incomingWebhook", "Invalid webhook", "err="+result.Err.Message)
@@ -951,6 +960,15 @@ func incomingWebhook(c *api.Context, w http.ResponseWriter, r *http.Request) {
 	pchan := api.Srv.Store.Channel().CheckPermissionsTo(hook.TeamId, channel.Id, hook.UserId)
 
 	post := &model.Post{UserId: hook.UserId, ChannelId: channel.Id, Message: text}
+	post.AddProp("from_webhook", "true")
+
+	if len(overrideUsername) != 0 && utils.Cfg.ServiceSettings.EnablePostUsernameOverride {
+		post.AddProp("override_username", overrideUsername)
+	}
+
+	if len(overrideIconUrl) != 0 && utils.Cfg.ServiceSettings.EnablePostIconOverride {
+		post.AddProp("override_icon_url", overrideIconUrl)
+	}
 
 	if !c.HasPermissionsToChannel(pchan, "createIncomingHook") && channel.Type != model.CHANNEL_OPEN {
 		c.Err = model.NewAppError("incomingWebhook", "Inappropriate channel permissions", "")