11 files changed, 119 insertions, 17 deletions

diff --git a/config/config.json b/config/config.json
index 38acee85a..101b8ebcb 100644
--- a/config/config.json
+++ b/config/config.json
@@ -6,6 +6,8 @@
         "GoogleDeveloperKey": "",
         "EnableOAuthServiceProvider": false,
         "EnableIncomingWebhooks": true,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
         "EnableTesting": false
     },
     "TeamSettings": {
@@ -86,4 +88,4 @@
         "TokenEndpoint": "",
         "UserApiEndpoint": ""
     }
-}
\ No newline at end of file
+}
diff --git a/docker/dev/config_docker.json b/docker/dev/config_docker.json
index 733267f74..37daaae35 100644
--- a/docker/dev/config_docker.json
+++ b/docker/dev/config_docker.json
@@ -6,6 +6,8 @@
         "GoogleDeveloperKey": "",
         "EnableOAuthServiceProvider": false,
         "EnableIncomingWebhooks": true,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
         "EnableTesting": false
     },
     "TeamSettings": {
diff --git a/docker/local/config_docker.json b/docker/local/config_docker.json
index 733267f74..37daaae35 100644
--- a/docker/local/config_docker.json
+++ b/docker/local/config_docker.json
@@ -6,6 +6,8 @@
         "GoogleDeveloperKey": "",
         "EnableOAuthServiceProvider": false,
         "EnableIncomingWebhooks": true,
+        "EnablePostUsernameOverride": false,
+        "EnablePostIconOverride": false,
         "EnableTesting": false
     },
     "TeamSettings": {
diff --git a/model/config.go b/model/config.go
index 5d822e263..e3904cc49 100644
--- a/model/config.go
+++ b/model/config.go
@@ -29,6 +29,8 @@ type ServiceSettings struct {
 	GoogleDeveloperKey         string
 	EnableOAuthServiceProvider bool
 	EnableIncomingWebhooks     bool
+	EnablePostUsernameOverride bool
+	EnablePostIconOverride     bool
 	EnableTesting              bool
 }
 
diff --git a/utils/config.go b/utils/config.go
index 3218211e3..44c4c43af 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -184,6 +184,8 @@ func getClientProperties(c *model.Config) map[string]string {
 	props["SegmentDeveloperKey"] = c.ServiceSettings.SegmentDeveloperKey
 	props["GoogleDeveloperKey"] = c.ServiceSettings.GoogleDeveloperKey
 	props["EnableIncomingWebhooks"] = strconv.FormatBool(c.ServiceSettings.EnableIncomingWebhooks)
+	props["EnablePostUsernameOverride"] = strconv.FormatBool(c.ServiceSettings.EnablePostUsernameOverride)
+	props["EnablePostIconOverride"] = strconv.FormatBool(c.ServiceSettings.EnablePostIconOverride)
 
 	props["SendEmailNotifications"] = strconv.FormatBool(c.EmailSettings.SendEmailNotifications)
 	props["EnableSignUpWithEmail"] = strconv.FormatBool(c.EmailSettings.EnableSignUpWithEmail)
diff --git a/web/react/components/admin_console/service_settings.jsx b/web/react/components/admin_console/service_settings.jsx
index 245ffa871..abc92cc20 100644
--- a/web/react/components/admin_console/service_settings.jsx
+++ b/web/react/components/admin_console/service_settings.jsx
@@ -37,6 +37,8 @@ export default class ServiceSettings extends React.Component {
         config.ServiceSettings.GoogleDeveloperKey = React.findDOMNode(this.refs.GoogleDeveloperKey).value.trim();
         //config.ServiceSettings.EnableOAuthServiceProvider = React.findDOMNode(this.refs.EnableOAuthServiceProvider).checked;
         config.ServiceSettings.EnableIncomingWebhooks = React.findDOMNode(this.refs.EnableIncomingWebhooks).checked;
+        config.ServiceSettings.EnablePostUsernameOverride = React.findDOMNode(this.refs.EnablePostUsernameOverride).checked;
+        config.ServiceSettings.EnablePostIconOverride = React.findDOMNode(this.refs.EnablePostIconOverride).checked;
         config.ServiceSettings.EnableTesting = React.findDOMNode(this.refs.EnableTesting).checked;
 
         var MaximumLoginAttempts = 10;
@@ -203,6 +205,72 @@ export default class ServiceSettings extends React.Component {
                         </div>
                     </div>
 
+                     <div className='form-group'>
+                        <label
+                            className='control-label col-sm-4'
+                            htmlFor='EnablePostUsernameOverride'
+                        >
+                            {'Enable Overriding Usernames from Webhooks: '}
+                        </label>
+                        <div className='col-sm-8'>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostUsernameOverride'
+                                    value='true'
+                                    ref='EnablePostUsernameOverride'
+                                    defaultChecked={this.props.config.ServiceSettings.EnablePostUsernameOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'true'}
+                            </label>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostUsernameOverride'
+                                    value='false'
+                                    defaultChecked={!this.props.config.ServiceSettings.EnablePostUsernameOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'false'}
+                            </label>
+                            <p className='help-text'>{'When true, webhooks will be allowed to change the username they are posting as. Note, combined with allowing icon overriding, this could open users up to phishing attacks.'}</p>
+                        </div>
+                    </div>
+
+                     <div className='form-group'>
+                        <label
+                            className='control-label col-sm-4'
+                            htmlFor='EnablePostIconOverride'
+                        >
+                            {'Enable Overriding Icon from Webhooks: '}
+                        </label>
+                        <div className='col-sm-8'>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostIconOverride'
+                                    value='true'
+                                    ref='EnablePostIconOverride'
+                                    defaultChecked={this.props.config.ServiceSettings.EnablePostIconOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'true'}
+                            </label>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnablePostIconOverride'
+                                    value='false'
+                                    defaultChecked={!this.props.config.ServiceSettings.EnablePostIconOverride}
+                                    onChange={this.handleChange}
+                                />
+                                    {'false'}
+                            </label>
+                            <p className='help-text'>{'When true, webhooks will be allowed to change the icon they post with. Note, combined with allowing username overriding, this could open users up to phishing attacks.'}</p>
+                        </div>
+                    </div>
+
                     <div className='form-group'>
                         <label
                             className='control-label col-sm-4'
diff --git a/web/react/components/post.jsx b/web/react/components/post.jsx
index ba53054cd..ac9c9252e 100644
--- a/web/react/components/post.jsx
+++ b/web/react/components/post.jsx
@@ -159,8 +159,10 @@ export default class Post extends React.Component {
         var profilePic = null;
         if (!this.props.hideProfilePic) {
             let src = '/api/v1/users/' + post.user_id + '/image?time=' + timestamp;
-            if (post.props && post.props.override_icon_url) {
-                src = post.props.override_icon_url;
+            if (post.props && post.props.from_webhook && global.window.config.EnablePostIconOverride === 'true') {
+                if (post.props.override_icon_url) {
+                    src = post.props.override_icon_url;
+                }
             }
 
             profilePic = (
diff --git a/web/react/components/post_header.jsx b/web/react/components/post_header.jsx
index c2cadb742..dd79b3e36 100644
--- a/web/react/components/post_header.jsx
+++ b/web/react/components/post_header.jsx
@@ -13,19 +13,26 @@ export default class PostHeader extends React.Component {
         var post = this.props.post;
 
         let userProfile = <UserProfile userId={post.user_id} />;
-        if (post.props && post.props.override_username) {
-            userProfile = (
-                <UserProfile
-                    userId={post.user_id}
-                    overwriteName={post.props.override_username}
-                    disablePopover={true}
-                />
-            );
+        let botIndicator;
+
+        if (post.props && post.props.from_webhook) {
+            if (post.props.override_username && global.window.config.EnablePostUsernameOverride === 'true') {
+                userProfile = (
+                    <UserProfile
+                        userId={post.user_id}
+                        overwriteName={post.props.override_username}
+                        disablePopover={true}
+                    />
+                );
+            }
+
+            botIndicator = <li className='post-header-col post-header__name bot-indicator'>{'BOT'}</li>;
         }
 
         return (
             <ul className='post-header post-header-post'>
                 <li className='post-header-col post-header__name'><strong>{userProfile}</strong></li>
+                {botIndicator}
                 <li className='post-info--hidden'>
                     <PostInfo
                         post={post}
diff --git a/web/react/components/post_list.jsx b/web/react/components/post_list.jsx
index 0354d132c..b90197ac4 100644
--- a/web/react/components/post_list.jsx
+++ b/web/react/components/post_list.jsx
@@ -520,13 +520,13 @@ export default class PostList extends React.Component {
                 //     the previous post was made by the same user as the current post,
                 //     the previous post is not a comment,
                 //     the current post is not a comment,
-                //     the current profile pic is not overridden
-                //     and the previous profile pic is not overridden
+                //     the current post is not from a webhook
+                //     and the previous post is not from a webhook
                 if ((prevPost.user_id === post.user_id) &&
                         !utils.isComment(prevPost) &&
                         !utils.isComment(post) &&
-                        (!post.props || !post.props.override_icon_url) &&
-                        (!prevPost.props || !prevPost.props.override_icon_url)) {
+                        (!post.props || !post.props.from_webhook) &&
+                        (!prevPost.props || !prevPost.props.from_webhook)) {
                     hideProfilePic = true;
                 }
             }
diff --git a/web/sass-files/sass/partials/_post.scss b/web/sass-files/sass/partials/_post.scss
index 7532875d6..8bf4b0534 100644
--- a/web/sass-files/sass/partials/_post.scss
+++ b/web/sass-files/sass/partials/_post.scss
@@ -509,3 +509,11 @@ body.ios {
 		}
 	}
 }
+
+.bot-indicator {
+    background-color: lightgrey;
+    border-radius:2px;
+    padding-left:2px;
+    padding-right:2px;
+    font-family:"Courier New"
+}
diff --git a/web/web.go b/web/web.go
index 564671285..176b1b8b5 100644
--- a/web/web.go
+++ b/web/web.go
@@ -843,6 +843,12 @@ func getAccessToken(c *api.Context, w http.ResponseWriter, r *http.Request) {
 }
 
 func incomingWebhook(c *api.Context, w http.ResponseWriter, r *http.Request) {
+	if !utils.Cfg.ServiceSettings.EnableIncomingWebhooks {
+		c.Err = model.NewAppError("incomingWebhook", "Incoming webhooks have been disabled by the system admin.", "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
 	params := mux.Vars(r)
 	id := params["id"]
 
@@ -913,12 +919,13 @@ func incomingWebhook(c *api.Context, w http.ResponseWriter, r *http.Request) {
 	pchan := api.Srv.Store.Channel().CheckPermissionsTo(hook.TeamId, channel.Id, hook.UserId)
 
 	post := &model.Post{UserId: hook.UserId, ChannelId: channel.Id, Message: text}
+	post.AddProp("from_webhook", "true")
 
-	if len(overrideUsername) != 0 {
+	if len(overrideUsername) != 0 && utils.Cfg.ServiceSettings.EnablePostUsernameOverride {
 		post.AddProp("override_username", overrideUsername)
 	}
 
-	if len(overrideIconUrl) != 0 {
+	if len(overrideIconUrl) != 0 && utils.Cfg.ServiceSettings.EnablePostIconOverride {
 		post.AddProp("override_icon_url", overrideIconUrl)
 	}