api/webhooks: Fix ticket/tracker webhook queries

Previously, we would only deliver tracker/ticket webhooks where the user
ID matched the currently authenticated user, which meant that
tracker/ticket webhooks for other users would not be delivered. This
updates the tracker/ticket webhook filters to allow other users to
receive webhook events while also ensuring that they have access to the
tracker.
This commit is contained in:
Adnan Maolood 2022-05-25 10:42:51 -04:00 committed by Drew DeVault
parent f299d2f9a9
commit af242ca93e
1 changed files with 21 additions and 5 deletions

View File

@ -27,11 +27,19 @@ func deliverUserWebhook(ctx context.Context, event model.WebhookEvent,
func deliverTrackerWebhook(ctx context.Context, trackerID int,
event model.WebhookEvent, payload model.WebhookPayload, payloadUUID uuid.UUID) {
q := webhooks.ForContext(ctx)
userID := auth.ForContext(ctx).UserID
query := sq.
Select().
From("gql_tracker_wh_sub sub").
Where("sub.user_id = ? AND sub.tracker_id = ?", userID, trackerID)
From(`gql_tracker_wh_sub sub`).
Join(`tracker tr ON tr.id = sub.tracker_id`).
LeftJoin(`user_access ua ON ua.tracker_id = sub.tracker_id AND ua.user_id = sub.user_id`).
Where(sq.And{
sq.Expr(`sub.tracker_id = ?`, trackerID),
sq.Or{
sq.Expr(`tr.owner_id = sub.user_id`),
sq.Expr(`tr.visibility != 'PRIVATE'`),
sq.Expr(`ua.permissions > 0`),
},
})
q.Schedule(ctx, query, "tracker", event.String(),
payloadUUID, payload)
}
@ -39,11 +47,19 @@ func deliverTrackerWebhook(ctx context.Context, trackerID int,
func deliverTicketWebhook(ctx context.Context, ticketID int,
event model.WebhookEvent, payload model.WebhookPayload, payloadUUID uuid.UUID) {
q := webhooks.ForContext(ctx)
userID := auth.ForContext(ctx).UserID
query := sq.
Select().
From("gql_ticket_wh_sub sub").
Where("sub.user_id = ? AND sub.ticket_id = ?", userID, ticketID)
Join(`tracker tr ON tr.id = sub.tracker_id`).
LeftJoin(`user_access ua ON ua.tracker_id = sub.tracker_id AND ua.user_id = sub.user_id`).
Where(sq.And{
sq.Expr(`sub.ticket_id = ?`, ticketID),
sq.Or{
sq.Expr(`tr.owner_id = sub.user_id`),
sq.Expr(`tr.visibility != 'PRIVATE'`),
sq.Expr(`ua.permissions > 0`),
},
})
q.Schedule(ctx, query, "ticket", event.String(),
payloadUUID, payload)
}