#3057 retrieve webhook with repo_id
This prevents user retrieve arbitrary webhook by changing URL to access webhook from other unauthorized repositories.
This commit is contained in:
parent
e30c701386
commit
d62ab49978
@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
|
||||
|
||||
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
||||
|
||||
##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
|
||||
##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
|
||||
|
||||
| Web | UI | Preview |
|
||||
|:-------------:|:-------:|:-------:|
|
||||
|
2
gogs.go
2
gogs.go
@ -17,7 +17,7 @@ import (
|
||||
"github.com/gogits/gogs/modules/setting"
|
||||
)
|
||||
|
||||
const APP_VER = "0.9.37.0708"
|
||||
const APP_VER = "0.9.38.0708"
|
||||
|
||||
func init() {
|
||||
runtime.GOMAXPROCS(runtime.NumCPU())
|
||||
|
@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
|
||||
return err
|
||||
}
|
||||
|
||||
// GetWebhookByID returns webhook by given ID.
|
||||
func GetWebhookByID(id int64) (*Webhook, error) {
|
||||
// GetWebhookByID returns webhook of repository by given ID.
|
||||
func GetWebhookByID(repoID, id int64) (*Webhook, error) {
|
||||
w := new(Webhook)
|
||||
has, err := x.Id(id).Get(w)
|
||||
has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if !has {
|
||||
@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
|
||||
}
|
||||
|
||||
// Update webhook last delivery status.
|
||||
w, err := GetWebhookByID(t.HookID)
|
||||
w, err := GetWebhookByID(t.RepoID, t.HookID)
|
||||
if err != nil {
|
||||
log.Error(5, "GetWebhookByID: %v", err)
|
||||
return
|
||||
|
@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
|
||||
|
||||
// https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
|
||||
func EditHook(ctx *context.APIContext, form api.EditHookOption) {
|
||||
w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
|
||||
w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
|
||||
if err != nil {
|
||||
if models.IsErrWebhookNotExist(err) {
|
||||
ctx.Status(404)
|
||||
|
@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
|
||||
}
|
||||
ctx.Data["BaseLink"] = orCtx.Link
|
||||
|
||||
w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
|
||||
w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
|
||||
if err != nil {
|
||||
if models.IsErrWebhookNotExist(err) {
|
||||
ctx.Handle(404, "GetWebhookByID", nil)
|
||||
|
@ -1 +1 @@
|
||||
0.9.37.0708
|
||||
0.9.38.0708
|
Loading…
Reference in New Issue
Block a user