Files
fizzy/test/controllers/webhooks/activations_controller_test.rb
T
Jeremy Daer 4efa4da809 Fix IDOR in webhook activation endpoint (#2431)
The webhook activation controller was using account-scoped lookup
instead of board-scoped lookup, allowing users to reactivate webhooks
on boards they don't have access to.

This was an oversight when board-scoping was added to the main webhooks
controller - the activations controller was missed in that update.

The fix adds the BoardScoped concern to properly restrict webhook
activation to boards the user has explicit access to.
2026-01-24 17:06:12 -08:00

36 lines
1001 B
Ruby

require "test_helper"
class Webhooks::ActivationsControllerTest < ActionDispatch::IntegrationTest
setup do
sign_in_as :kevin
end
test "create" do
webhook = webhooks(:inactive)
assert_not webhook.active?
assert_changes -> { webhook.reload.active? }, from: false, to: true do
post board_webhook_activation_path(webhook.board, webhook)
end
assert_redirected_to board_webhook_path(webhook.board, webhook)
end
test "cannot activate webhook on board without access" do
logout_and_sign_in_as :jason
webhook = webhooks(:inactive) # on private board, jason has no access
post board_webhook_activation_path(webhook.board, webhook)
assert_response :not_found
end
test "non-admin cannot activate webhook" do
logout_and_sign_in_as :jz # member with writebook access, but not admin
webhook = webhooks(:active) # on writebook board
post board_webhook_activation_path(webhook.board, webhook)
assert_response :forbidden
end
end