fix: allow webhooks to be called from unauthenticated sources

Signed-off-by: Donnie Adams <[email protected]>
obot-platform · Nov 26, 2024 · 82e7db2 · 82e7db2
1 parent f532350
commit 82e7db2
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/pkg/api/authz/authz.go b/pkg/api/authz/authz.go
@@ -30,7 +30,7 @@ var staticRules = map[string][]string{
 		// Allow access to the oauth2 endpoints
 		"/oauth2/",
 
-		"POST /api/webhooks/{id}",
+		"POST /api/webhooks/{namespace}/{id}",
 		"GET /api/token-request/{id}",
 		"POST /api/token-request",
 		"GET /api/token-request/{id}/{service}",

diff --git a/pkg/api/handlers/webhooks.go b/pkg/api/handlers/webhooks.go
@@ -191,6 +191,12 @@ func (a *WebhookHandler) List(req api.Context) error {
 }
 
 func (a *WebhookHandler) RemoveToken(req api.Context) error {
+	// There is a chance that an unauthorized user could sneak through our authorization because of the pattern matching we are using.
+	// Check that the user is an admin here.
+	if !req.UserIsAdmin() {
+		return types.NewErrHttp(http.StatusForbidden, "unauthorized")
+	}
+
 	var wh v1.Webhook
 	if err := req.Get(&wh, req.PathValue("id")); err != nil {
 		return err