Fix IDOR in webhook activation endpoint (#2431)
The webhook activation controller was using account-scoped lookup instead of board-scoped lookup, allowing users to reactivate webhooks on boards they don't have access to. This was an oversight when board-scoping was added to the main webhooks controller - the activations controller was missed in that update. The fix adds the BoardScoped concern to properly restrict webhook activation to boards the user has explicit access to.
This commit is contained in:
@@ -121,4 +121,13 @@ class WebhooksControllerTest < ActionDispatch::IntegrationTest
|
||||
|
||||
assert_redirected_to board_webhooks_path(webhook.board)
|
||||
end
|
||||
|
||||
test "cannot access webhooks on board without access" do
|
||||
logout_and_sign_in_as :jason
|
||||
|
||||
webhook = webhooks(:inactive) # on private board, jason has no access
|
||||
|
||||
get board_webhooks_path(webhook.board)
|
||||
assert_response :not_found
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user