Fix IDOR in webhook activation endpoint (#2431)

The webhook activation controller was using account-scoped lookup
instead of board-scoped lookup, allowing users to reactivate webhooks
on boards they don't have access to.

This was an oversight when board-scoping was added to the main webhooks
controller - the activations controller was missed in that update.

The fix adds the BoardScoped concern to properly restrict webhook
activation to boards the user has explicit access to.
This commit is contained in:
Jeremy Daer
2026-01-24 17:06:12 -08:00
committed by GitHub
parent 16745e89d1
commit 4efa4da809
3 changed files with 28 additions and 1 deletions
@@ -121,4 +121,13 @@ class WebhooksControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to board_webhooks_path(webhook.board)
end
test "cannot access webhooks on board without access" do
logout_and_sign_in_as :jason
webhook = webhooks(:inactive) # on private board, jason has no access
get board_webhooks_path(webhook.board)
assert_response :not_found
end
end