From af242ca93e988c13611802b8adf15931e51cec24 Mon Sep 17 00:00:00 2001
From: Adnan Maolood <me@adnano.co>
Date: Wed, 25 May 2022 10:42:51 -0400
Subject: [PATCH] api/webhooks: Fix ticket/tracker webhook queries

Previously, we would only deliver tracker/ticket webhooks where the user
ID matched the currently authenticated user, which meant that
tracker/ticket webhooks for other users would not be delivered. This
updates the tracker/ticket webhook filters to allow other users to
receive webhook events while also ensuring that they have access to the
tracker.
---
 api/webhooks/webhooks.go | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/api/webhooks/webhooks.go b/api/webhooks/webhooks.go
index 2608662..573b3e6 100644
--- a/api/webhooks/webhooks.go
+++ b/api/webhooks/webhooks.go
@@ -27,11 +27,19 @@ func deliverUserWebhook(ctx context.Context, event model.WebhookEvent,
 func deliverTrackerWebhook(ctx context.Context, trackerID int,
 	event model.WebhookEvent, payload model.WebhookPayload, payloadUUID uuid.UUID) {
 	q := webhooks.ForContext(ctx)
-	userID := auth.ForContext(ctx).UserID
 	query := sq.
 		Select().
-		From("gql_tracker_wh_sub sub").
-		Where("sub.user_id = ? AND sub.tracker_id = ?", userID, trackerID)
+		From(`gql_tracker_wh_sub sub`).
+		Join(`tracker tr ON tr.id = sub.tracker_id`).
+		LeftJoin(`user_access ua ON ua.tracker_id = sub.tracker_id AND ua.user_id = sub.user_id`).
+		Where(sq.And{
+			sq.Expr(`sub.tracker_id = ?`, trackerID),
+			sq.Or{
+				sq.Expr(`tr.owner_id = sub.user_id`),
+				sq.Expr(`tr.visibility != 'PRIVATE'`),
+				sq.Expr(`ua.permissions > 0`),
+			},
+		})
 	q.Schedule(ctx, query, "tracker", event.String(),
 		payloadUUID, payload)
 }
@@ -39,11 +47,19 @@ func deliverTrackerWebhook(ctx context.Context, trackerID int,
 func deliverTicketWebhook(ctx context.Context, ticketID int,
 	event model.WebhookEvent, payload model.WebhookPayload, payloadUUID uuid.UUID) {
 	q := webhooks.ForContext(ctx)
-	userID := auth.ForContext(ctx).UserID
 	query := sq.
 		Select().
 		From("gql_ticket_wh_sub sub").
-		Where("sub.user_id = ? AND sub.ticket_id = ?", userID, ticketID)
+		Join(`tracker tr ON tr.id = sub.tracker_id`).
+		LeftJoin(`user_access ua ON ua.tracker_id = sub.tracker_id AND ua.user_id = sub.user_id`).
+		Where(sq.And{
+			sq.Expr(`sub.ticket_id = ?`, ticketID),
+			sq.Or{
+				sq.Expr(`tr.owner_id = sub.user_id`),
+				sq.Expr(`tr.visibility != 'PRIVATE'`),
+				sq.Expr(`ua.permissions > 0`),
+			},
+		})
 	q.Schedule(ctx, query, "ticket", event.String(),
 		payloadUUID, payload)
 }