Ghost/core/server/api/v2/webhooks.js
Nazar Gargol 60ae9e82f9 Fixed integration_id assignment for webhook when creating through API key auth
refs 173e3292fa

- The bug was initially introduced in referenced commit. When request is done with `api_key` context, there should always be an `integration` object associated with it - 71c17539d8/core/server/services/permissions/parse-context.js (L36) . An `id` from `context.integration` not `context.api_key` has to be assigned to newly created webhook!
- The webhooks API is about to be declared stable in upcoming release, so no migration will be done
2020-08-04 16:43:24 +12:00

152 lines
5.3 KiB
JavaScript

const models = require('../../models');
const {i18n} = require('../../lib/common');
const errors = require('@tryghost/errors');
module.exports = {
docName: 'webhooks',
add: {
statusCode: 201,
headers: {},
options: [],
data: [],
validation: {
data: {
event: {
required: true
},
target_url: {
required: true
}
}
},
permissions: true,
query(frame) {
return models.Webhook.getByEventAndTarget(
frame.data.webhooks[0].event,
frame.data.webhooks[0].target_url,
frame.options
).then((webhook) => {
if (webhook) {
return Promise.reject(
new errors.ValidationError({message: i18n.t('errors.api.webhooks.webhookAlreadyExists')})
);
}
return models.Webhook.add(frame.data.webhooks[0], frame.options);
});
}
},
edit: {
permissions: {
before: (frame) => {
if (frame.options.context && frame.options.context.integration && frame.options.context.integration.id) {
return models.Webhook.findOne({id: frame.options.id})
.then((webhook) => {
if (!webhook) {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
}
if (webhook.get('integration_id') !== frame.options.context.integration.id) {
throw new errors.NoPermissionError({
message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {
method: 'edit'
}),
context: i18n.t('errors.api.webhooks.noPermissionToEdit.context', {
method: 'edit'
})
});
}
});
}
}
},
data: [
'name',
'event',
'target_url',
'secret',
'api_version'
],
options: [
'id'
],
validation: {
options: {
id: {
required: true
}
}
},
query({data, options}) {
return models.Webhook.edit(data.webhooks[0], Object.assign(options, {require: true}))
.catch(models.Webhook.NotFoundError, () => {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
});
}
},
destroy: {
statusCode: 204,
headers: {},
options: [
'id'
],
validation: {
options: {
id: {
required: true
}
}
},
permissions: {
before: (frame) => {
if (frame.options.context && frame.options.context.integration && frame.options.context.integration.id) {
return models.Webhook.findOne({id: frame.options.id})
.then((webhook) => {
if (!webhook) {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
}
if (webhook.get('integration_id') !== frame.options.context.integration.id) {
throw new errors.NoPermissionError({
message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {
method: 'destroy'
}),
context: i18n.t('errors.api.webhooks.noPermissionToEdit.context', {
method: 'destroy'
})
});
}
});
}
}
},
query(frame) {
frame.options.require = true;
return models.Webhook.destroy(frame.options)
.then(() => null)
.catch(models.Webhook.NotFoundError, () => {
return Promise.reject(new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
}));
});
}
}
};