From 25b2daad93cf9953e52534927b2b7c34e7c2479b Mon Sep 17 00:00:00 2001 From: "Stanko K.R." Date: Fri, 12 Sep 2025 19:16:39 +0200 Subject: [PATCH] Limit access to webhooks to admins --- app/controllers/admin_controller.rb | 2 +- app/controllers/application_controller.rb | 2 +- app/controllers/concerns/authorization.rb | 10 ++++++++++ app/controllers/concerns/staff_only.rb | 12 ------------ app/controllers/conversations/messages_controller.rb | 3 +-- app/controllers/conversations_controller.rb | 2 +- app/controllers/webhooks/activations_controller.rb | 1 + app/controllers/webhooks_controller.rb | 1 + app/models/user/role.rb | 2 +- app/views/account/settings/show.html.erb | 9 ++++++--- 10 files changed, 23 insertions(+), 21 deletions(-) create mode 100644 app/controllers/concerns/authorization.rb delete mode 100644 app/controllers/concerns/staff_only.rb diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 60f2b01e1..4e7e52372 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,3 +1,3 @@ class AdminController < ApplicationController - include StaffOnly + before_action :ensure_is_staff_member end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6abefad23..aa35df0b3 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,5 @@ class ApplicationController < ActionController::Base - include Authentication, CurrentRequest, CurrentTimezone, SetPlatform, TurboFlash, WriterAffinity + include Authentication, Authorization, CurrentRequest, CurrentTimezone, SetPlatform, TurboFlash, WriterAffinity stale_when_importmap_changes allow_browser versions: :modern, block: -> { render "errors/not_acceptable", layout: "error" } diff --git a/app/controllers/concerns/authorization.rb b/app/controllers/concerns/authorization.rb new file mode 100644 index 000000000..38873b098 --- /dev/null +++ b/app/controllers/concerns/authorization.rb @@ -0,0 +1,10 @@ +module Authorization + private + def ensure_can_administer + head :forbidden unless Current.user.admin? + end + + def ensure_is_staff_member + head :forbidden unless Current.user.staff? + end +end diff --git a/app/controllers/concerns/staff_only.rb b/app/controllers/concerns/staff_only.rb deleted file mode 100644 index e8c34ffda..000000000 --- a/app/controllers/concerns/staff_only.rb +++ /dev/null @@ -1,12 +0,0 @@ -module StaffOnly - extend ActiveSupport::Concern - - included do - before_action :ensure_staff - end - - private - def ensure_staff - head :forbidden unless Current.user.staff? - end -end diff --git a/app/controllers/conversations/messages_controller.rb b/app/controllers/conversations/messages_controller.rb index c69b1e684..d37ac040b 100644 --- a/app/controllers/conversations/messages_controller.rb +++ b/app/controllers/conversations/messages_controller.rb @@ -1,6 +1,5 @@ class Conversations::MessagesController < ApplicationController - include StaffOnly - + before_action :ensure_is_staff_member before_action :set_conversation def index diff --git a/app/controllers/conversations_controller.rb b/app/controllers/conversations_controller.rb index 69de90d03..2e100fecf 100644 --- a/app/controllers/conversations_controller.rb +++ b/app/controllers/conversations_controller.rb @@ -1,5 +1,5 @@ class ConversationsController < ApplicationController - include StaffOnly + before_action :ensure_is_staff_member def create Current.user.start_or_continue_conversation diff --git a/app/controllers/webhooks/activations_controller.rb b/app/controllers/webhooks/activations_controller.rb index bc72998f2..ea30e1e87 100644 --- a/app/controllers/webhooks/activations_controller.rb +++ b/app/controllers/webhooks/activations_controller.rb @@ -1,4 +1,5 @@ class Webhooks::ActivationsController < ApplicationController + before_action :ensure_can_administer before_action :set_webhook def create diff --git a/app/controllers/webhooks_controller.rb b/app/controllers/webhooks_controller.rb index c40fc72c2..c65f37532 100644 --- a/app/controllers/webhooks_controller.rb +++ b/app/controllers/webhooks_controller.rb @@ -1,6 +1,7 @@ class WebhooksController < ApplicationController include FilterScoped + before_action :ensure_can_administer before_action :set_webhook, except: %i[ index new create ] def index diff --git a/app/models/user/role.rb b/app/models/user/role.rb index 4a90410b5..aaa4bd5ff 100644 --- a/app/models/user/role.rb +++ b/app/models/user/role.rb @@ -18,7 +18,7 @@ module User::Role admin? || other == self end - def can_administer?(other) + def can_administer?(other = nil) admin? && other != self end end diff --git a/app/views/account/settings/show.html.erb b/app/views/account/settings/show.html.erb index 6ab7e3bb7..492ee6cb4 100644 --- a/app/views/account/settings/show.html.erb +++ b/app/views/account/settings/show.html.erb @@ -4,10 +4,13 @@ <%= render "filters/menu", user_filtering: @user_filtering %>

<%= @page_title %>

- <%= link_to webhooks_path, class: "btn" do %> - <%= icon_tag "world" %> - Webhooks + <% if Current.user.admin? %> + <%= link_to webhooks_path, class: "btn" do %> + <%= icon_tag "world" %> + Webhooks + <% end %> <% end %> + <%= link_to workflows_path, class: "btn" do %> <%= icon_tag "bolt" %> Workflows