api/webhooks: Fix ticket/tracker webhook queries
Previously, we would only deliver tracker/ticket webhooks where the user ID matched the currently authenticated user, which meant that tracker/ticket webhooks for other users would not be delivered. This updates the tracker/ticket webhook filters to allow other users to receive webhook events while also ensuring that they have access to the tracker.
This commit is contained in:
parent
f299d2f9a9
commit
af242ca93e
|
@ -27,11 +27,19 @@ func deliverUserWebhook(ctx context.Context, event model.WebhookEvent,
|
|||
func deliverTrackerWebhook(ctx context.Context, trackerID int,
|
||||
event model.WebhookEvent, payload model.WebhookPayload, payloadUUID uuid.UUID) {
|
||||
q := webhooks.ForContext(ctx)
|
||||
userID := auth.ForContext(ctx).UserID
|
||||
query := sq.
|
||||
Select().
|
||||
From("gql_tracker_wh_sub sub").
|
||||
Where("sub.user_id = ? AND sub.tracker_id = ?", userID, trackerID)
|
||||
From(`gql_tracker_wh_sub sub`).
|
||||
Join(`tracker tr ON tr.id = sub.tracker_id`).
|
||||
LeftJoin(`user_access ua ON ua.tracker_id = sub.tracker_id AND ua.user_id = sub.user_id`).
|
||||
Where(sq.And{
|
||||
sq.Expr(`sub.tracker_id = ?`, trackerID),
|
||||
sq.Or{
|
||||
sq.Expr(`tr.owner_id = sub.user_id`),
|
||||
sq.Expr(`tr.visibility != 'PRIVATE'`),
|
||||
sq.Expr(`ua.permissions > 0`),
|
||||
},
|
||||
})
|
||||
q.Schedule(ctx, query, "tracker", event.String(),
|
||||
payloadUUID, payload)
|
||||
}
|
||||
|
@ -39,11 +47,19 @@ func deliverTrackerWebhook(ctx context.Context, trackerID int,
|
|||
func deliverTicketWebhook(ctx context.Context, ticketID int,
|
||||
event model.WebhookEvent, payload model.WebhookPayload, payloadUUID uuid.UUID) {
|
||||
q := webhooks.ForContext(ctx)
|
||||
userID := auth.ForContext(ctx).UserID
|
||||
query := sq.
|
||||
Select().
|
||||
From("gql_ticket_wh_sub sub").
|
||||
Where("sub.user_id = ? AND sub.ticket_id = ?", userID, ticketID)
|
||||
Join(`tracker tr ON tr.id = sub.tracker_id`).
|
||||
LeftJoin(`user_access ua ON ua.tracker_id = sub.tracker_id AND ua.user_id = sub.user_id`).
|
||||
Where(sq.And{
|
||||
sq.Expr(`sub.ticket_id = ?`, ticketID),
|
||||
sq.Or{
|
||||
sq.Expr(`tr.owner_id = sub.user_id`),
|
||||
sq.Expr(`tr.visibility != 'PRIVATE'`),
|
||||
sq.Expr(`ua.permissions > 0`),
|
||||
},
|
||||
})
|
||||
q.Schedule(ctx, query, "ticket", event.String(),
|
||||
payloadUUID, payload)
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue