From b66e4bc932ed76c1cfd2b5f4ec0cfce70cd9fbb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Wed, 7 Mar 2018 14:54:47 +0000
Subject: MM-8830 Consistent Incomming/Outgoing webhooks permissions (#8335)

---
 api4/webhook.go | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/api4/webhook.go b/api4/webhook.go
index e19f14704..dcbf6c2af 100644
--- a/api4/webhook.go
+++ b/api4/webhook.go
@@ -194,10 +194,16 @@ func getIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
 			c.LogAudit("fail - bad permissions")
 			c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS)
 			return
-		} else {
-			w.Write([]byte(hook.ToJson()))
+		}
+
+		if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) {
+			c.LogAudit("fail - inappropriate permissions")
+			c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS)
 			return
 		}
+
+		w.Write([]byte(hook.ToJson()))
+		return
 	}
 }
 
@@ -228,14 +234,20 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
 			c.LogAudit("fail - bad permissions")
 			c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS)
 			return
-		} else {
-			if err = c.App.DeleteIncomingWebhook(hookId); err != nil {
-				c.Err = err
-				return
-			}
+		}
 
-			ReturnStatusOK(w)
+		if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) {
+			c.LogAudit("fail - inappropriate permissions")
+			c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS)
+			return
 		}
+
+		if err = c.App.DeleteIncomingWebhook(hookId); err != nil {
+			c.Err = err
+			return
+		}
+
+		ReturnStatusOK(w)
 	}
 }
 
-- 
cgit v1.2.3-1-g7c22