Fix IDOR in webhook activation endpoint (#2431)
The webhook activation controller was using account-scoped lookup instead of board-scoped lookup, allowing users to reactivate webhooks on boards they don't have access to. This was an oversight when board-scoping was added to the main webhooks controller - the activations controller was missed in that update. The fix adds the BoardScoped concern to properly restrict webhook activation to boards the user has explicit access to.
This commit is contained in:
@@ -16,4 +16,20 @@ class Webhooks::ActivationsControllerTest < ActionDispatch::IntegrationTest
|
||||
|
||||
assert_redirected_to board_webhook_path(webhook.board, webhook)
|
||||
end
|
||||
|
||||
test "cannot activate webhook on board without access" do
|
||||
logout_and_sign_in_as :jason
|
||||
webhook = webhooks(:inactive) # on private board, jason has no access
|
||||
|
||||
post board_webhook_activation_path(webhook.board, webhook)
|
||||
assert_response :not_found
|
||||
end
|
||||
|
||||
test "non-admin cannot activate webhook" do
|
||||
logout_and_sign_in_as :jz # member with writebook access, but not admin
|
||||
webhook = webhooks(:active) # on writebook board
|
||||
|
||||
post board_webhook_activation_path(webhook.board, webhook)
|
||||
assert_response :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user