Skip to content

Commit

Permalink
Add finer permission requirements for managing webhooks (#25463)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ClearlyClaire
ClearlyClaire committed Jul 6, 2023
1 parent 8acbfc6 commit e65e3a6
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 3 deletions.
3 changes: 3 additions & 0 deletions app/controllers/admin/webhooks_controller.rb
View file
Expand Up @@ -20,6 +20,7 @@ def create
authorize :webhook, :create?

@webhook = Webhook.new(resource_params)
@webhook.current_account = current_account

if @webhook.save
redirect_to admin_webhook_path(@webhook)
Expand All @@ -39,6 +40,8 @@ def edit
def update
authorize @webhook, :update?

@webhook.current_account = current_account

if @webhook.update(resource_params)
redirect_to admin_webhook_path(@webhook)
else
Expand Down
20 changes: 20 additions & 0 deletions app/models/webhook.rb
View file
Expand Up @@ -20,13 +20,16 @@ class Webhook < ApplicationRecord
report.created
).freeze

attr_writer :current_account

scope :enabled, -> { where(enabled: true) }

validates :url, presence: true, url: true
validates :secret, presence: true, length: { minimum: 12 }
validates :events, presence: true

validate :validate_events
validate :validate_permissions

before_validation :strip_events
before_validation :generate_secret
Expand All @@ -43,12 +46,29 @@ def disable!
update!(enabled: false)
end

def required_permissions
events.map { |event| Webhook.permission_for_event(event) }
end

def self.permission_for_event(event)
case event
when 'account.approved', 'account.created', 'account.updated'
:manage_users
when 'report.created'
:manage_reports
end
end

private

def validate_events
errors.add(:events, :invalid) if events.any? { |e| !EVENTS.include?(e) }
end

def validate_permissions
errors.add(:events, :invalid_permissions) if defined?(@current_account) && required_permissions.any? { |permission| !@current_account.user_role.can?(permission) }
end

def strip_events
self.events = events.map { |str| str.strip.presence }.compact if events.present?
end
Expand Down
4 changes: 2 additions & 2 deletions app/policies/webhook_policy.rb
View file
Expand Up @@ -14,7 +14,7 @@ def show?
end

def update?
role.can?(:manage_webhooks)
role.can?(:manage_webhooks) && record.required_permissions.all? { |permission| role.can?(permission) }
end

def enable?
Expand All @@ -30,6 +30,6 @@ def rotate_secret?
end

def destroy?
role.can?(:manage_webhooks)
role.can?(:manage_webhooks) && record.required_permissions.all? { |permission| role.can?(permission) }
end
end
2 changes: 1 addition & 1 deletion app/views/admin/webhooks/_form.html.haml
View file
Expand Up @@ -5,7 +5,7 @@
= f.input :url, wrapper: :with_block_label, input_html: { placeholder: 'https://' }

.fields-group
= f.input :events, collection: Webhook::EVENTS, wrapper: :with_block_label, include_blank: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li'
= f.input :events, collection: Webhook::EVENTS, wrapper: :with_block_label, include_blank: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', disabled: Webhook::EVENTS.filter { |event| !current_user.role.can?(Webhook.permission_for_event(event)) }

.actions
= f.button :button, @webhook.new_record? ? t('admin.webhooks.add_new') : t('generic.save_changes'), type: :submit
4 changes: 4 additions & 0 deletions config/locales/activerecord.en.yml
View file
Expand Up @@ -53,3 +53,7 @@ en:
position:
elevated: cannot be higher than your current role
own_role: cannot be changed with your current role
webhook:
attributes:
events:
invalid_permissions: cannot include events you don't have the rights to

0 comments on commit e65e3a6

Please sign in to comment.