Fix IDOR in webhook activation endpoint (#2431)

The webhook activation controller was using account-scoped lookup
instead of board-scoped lookup, allowing users to reactivate webhooks
on boards they don't have access to.

This was an oversight when board-scoping was added to the main webhooks
controller - the activations controller was missed in that update.

The fix adds the BoardScoped concern to properly restrict webhook
activation to boards the user has explicit access to.
This commit is contained in:
Jeremy Daer
2026-01-24 17:06:12 -08:00
committed by GitHub
parent 16745e89d1
commit 4efa4da809
3 changed files with 28 additions and 1 deletions
@@ -16,4 +16,20 @@ class Webhooks::ActivationsControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to board_webhook_path(webhook.board, webhook)
end
test "cannot activate webhook on board without access" do
logout_and_sign_in_as :jason
webhook = webhooks(:inactive) # on private board, jason has no access
post board_webhook_activation_path(webhook.board, webhook)
assert_response :not_found
end
test "non-admin cannot activate webhook" do
logout_and_sign_in_as :jz # member with writebook access, but not admin
webhook = webhooks(:active) # on writebook board
post board_webhook_activation_path(webhook.board, webhook)
assert_response :forbidden
end
end
@@ -121,4 +121,13 @@ class WebhooksControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to board_webhooks_path(webhook.board)
end
test "cannot access webhooks on board without access" do
logout_and_sign_in_as :jason
webhook = webhooks(:inactive) # on private board, jason has no access
get board_webhooks_path(webhook.board)
assert_response :not_found
end
end