summaryrefslogtreecommitdiffstats
path: root/api4/webhook.go
diff options
context:
space:
mode:
Diffstat (limited to 'api4/webhook.go')
-rw-r--r--api4/webhook.go45
1 files changed, 32 insertions, 13 deletions
diff --git a/api4/webhook.go b/api4/webhook.go
index 90d9a7dc8..05426e776 100644
--- a/api4/webhook.go
+++ b/api4/webhook.go
@@ -67,17 +67,21 @@ func updateIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- hookId := c.Params.HookId
-
updatedHook := model.IncomingWebhookFromJson(r.Body)
if updatedHook == nil {
c.SetInvalidParam("incoming_webhook")
return
}
+ // The hook being updated in the payload must be the same one as indicated in the URL.
+ if updatedHook.Id != c.Params.HookId {
+ c.SetInvalidParam("hook_id")
+ return
+ }
+
c.LogAudit("attempt")
- oldHook, err := c.App.GetIncomingWebhook(hookId)
+ oldHook, err := c.App.GetIncomingWebhook(c.Params.HookId)
if err != nil {
c.Err = err
return
@@ -247,34 +251,49 @@ func updateOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- toUpdateHook := model.OutgoingWebhookFromJson(r.Body)
- if toUpdateHook == nil {
+ updatedHook := model.OutgoingWebhookFromJson(r.Body)
+ if updatedHook == nil {
c.SetInvalidParam("outgoing_webhook")
return
}
+ // The hook being updated in the payload must be the same one as indicated in the URL.
+ if updatedHook.Id != c.Params.HookId {
+ c.SetInvalidParam("hook_id")
+ return
+ }
+
c.LogAudit("attempt")
- toUpdateHook.CreatorId = c.Session.UserId
+ oldHook, err := c.App.GetOutgoingWebhook(c.Params.HookId)
+ if err != nil {
+ c.Err = err
+ return
+ }
+
+ if updatedHook.TeamId == "" {
+ updatedHook.TeamId = oldHook.TeamId
+ }
- if !c.App.SessionHasPermissionToTeam(c.Session, toUpdateHook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) {
- c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS)
+ if updatedHook.TeamId != oldHook.TeamId {
+ c.Err = model.NewAppError("updateOutgoingHook", "api.webhook.team_mismatch.app_error", nil, "user_id="+c.Session.UserId, http.StatusBadRequest)
return
}
- oldHook, err := c.App.GetOutgoingWebhook(toUpdateHook.Id)
- if err != nil {
- c.Err = err
+ if !c.App.SessionHasPermissionToTeam(c.Session, updatedHook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) {
+ c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS)
return
}
- if c.Session.UserId != oldHook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, oldHook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) {
+ if c.Session.UserId != oldHook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, updatedHook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) {
c.LogAudit("fail - inappropriate permissions")
c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS)
return
}
- rhook, err := c.App.UpdateOutgoingWebhook(oldHook, toUpdateHook)
+ updatedHook.CreatorId = c.Session.UserId
+
+ rhook, err := c.App.UpdateOutgoingWebhook(oldHook, updatedHook)
if err != nil {
c.Err = err
return
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-09 06:51:28 +0000