From 910d13ce62dca3c209cb9a78f742cf9d1be34211 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Fri, 8 May 2026 18:36:46 +0200
Subject: [PATCH] fix: only allow full admins to create 'token needed' webhooks

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 .../lib/Controller/WebhooksController.php              | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/apps/webhook_listeners/lib/Controller/WebhooksController.php b/apps/webhook_listeners/lib/Controller/WebhooksController.php
index 97bc8aa875eb5..bb3d7555382e2 100644
--- a/apps/webhook_listeners/lib/Controller/WebhooksController.php
+++ b/apps/webhook_listeners/lib/Controller/WebhooksController.php
@@ -26,8 +26,10 @@
 use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\AppFramework\OCS\OCSNotFoundException;
 use OCP\AppFramework\OCSController;
+use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\ISession;
+use OCP\IUserSession;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -42,6 +44,8 @@ public function __construct(
 		private WebhookListenerMapper $mapper,
 		private ?string $userId,
 		private ISession $session,
+		private IUserSession $userSession,
+		private IGroupManager $groupManager,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -144,6 +148,12 @@ public function create(
 		} catch (\ValueError $e) {
 			throw new OCSBadRequestException('This auth method does not exist');
 		}
+
+		$user = $this->userSession->getUser();
+		if (!$user || !$this->groupManager->isAdmin($user->getUID())) {
+			$tokenNeeded = null;
+		}
+
 		try {
 			$webhookListener = $this->mapper->addWebhookListener(
 				$appId,