Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00
Code Issues Activity

🐛 Fixed 500 error in webhooks API when modifying non-existing webhooks

Browse source 
closes #12064

- Handled permission check bug by returning 404, same way it is returned in other permissions related places when handling non-existing resource. Example - 60907a7ae4/core/server/models/relations/authors.js (L355-L358)
This commit is contained in:
Nazar Gargol 2020-08-03 23:08:47 +12:00
parent 60907a7ae4
commit 1b449f4f53
5 changed files with 83 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
core/server/api/canary/webhooks.js
View file

@ -34,6 +34,14 @@ module.exports = {
if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) { if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) {
return models.Webhook.findOne({id: frame.options.id}) return models.Webhook.findOne({id: frame.options.id})
.then((webhook) => { .then((webhook) => {
if (!webhook) {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
}
if (webhook.get('integration_id') !== frame.options.context.api_key.id) { if (webhook.get('integration_id') !== frame.options.context.api_key.id) {
throw new errors.NoPermissionError({ throw new errors.NoPermissionError({
message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', { message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {
@ -95,6 +103,14 @@ module.exports = {
if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) { if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) {
return models.Webhook.findOne({id: frame.options.id}) return models.Webhook.findOne({id: frame.options.id})
.then((webhook) => { .then((webhook) => {
if (!webhook) {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
}
if (webhook.get('integration_id') !== frame.options.context.api_key.id) { if (webhook.get('integration_id') !== frame.options.context.api_key.id) {
throw new errors.NoPermissionError({ throw new errors.NoPermissionError({
message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', { message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {

16
core/server/api/v2/webhooks.js
View file

@ -44,6 +44,14 @@ module.exports = {
if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) { if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) {
return models.Webhook.findOne({id: frame.options.id}) return models.Webhook.findOne({id: frame.options.id})
.then((webhook) => { .then((webhook) => {
if (!webhook) {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
}
if (webhook.get('integration_id') !== frame.options.context.api_key.id) { if (webhook.get('integration_id') !== frame.options.context.api_key.id) {
throw new errors.NoPermissionError({ throw new errors.NoPermissionError({
message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', { message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {
@ -105,6 +113,14 @@ module.exports = {
if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) { if (frame.options.context && frame.options.context.api_key && frame.options.context.api_key.id) {
return models.Webhook.findOne({id: frame.options.id}) return models.Webhook.findOne({id: frame.options.id})
.then((webhook) => { .then((webhook) => {
if (!webhook) {
throw new errors.NotFoundError({
message: i18n.t('errors.api.resource.resourceNotFound', {
resource: 'Webhook'
})
});
}
if (webhook.get('integration_id') !== frame.options.context.api_key.id) { if (webhook.get('integration_id') !== frame.options.context.api_key.id) {
throw new errors.NoPermissionError({ throw new errors.NoPermissionError({
message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', { message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {

17
test/regression/api/canary/admin/webhooks_spec.js
View file

@ -154,6 +154,23 @@ describe('Webhooks API (canary)', function () {
}); });
}); });
it('Integration editing non-existing webhook returns 404', function () {
return request.put(localUtils.API.getApiQuery(`webhooks/5f27d0287c75da744d8615da/`))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/canary/admin/', testUtils.DataGenerator.Content.api_keys[0])}`)
.send({
webhooks: [{
name: 'Edit Test'
}]
})
.expect(404);
});
it('Integration deleting non-existing webhook returns 404', function () {
return request.delete(localUtils.API.getApiQuery(`webhooks/5f27d0287c75da744d8615db/`))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/canary/admin/', testUtils.DataGenerator.Content.api_keys[0])}`)
.expect(404);
});
it('Cannot edit webhooks using content api keys', function () { it('Cannot edit webhooks using content api keys', function () {
let webhookData = { let webhookData = {
event: 'post.create', event: 'post.create',

17
test/regression/api/v2/admin/webhooks_spec.js
View file

@ -103,6 +103,23 @@ describe('Webhooks API (v2)', function () {
}); });
}); });
it('Integration editing non-existing webhook returns 404', function () {
return request.put(localUtils.API.getApiQuery(`webhooks/5f27d0287c75da744d8615da/`))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/', testUtils.DataGenerator.Content.api_keys[0])}`)
.send({
webhooks: [{
name: 'Edit Test'
}]
})
.expect(404);
});
it('Integration deleting non-existing webhook returns 404', function () {
return request.delete(localUtils.API.getApiQuery(`webhooks/5f27d0287c75da744d8615db/`))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/', testUtils.DataGenerator.Content.api_keys[0])}`)
.expect(404);
});
it('Cannot edit webhooks using content api keys', function () { it('Cannot edit webhooks using content api keys', function () {
let webhookData = { let webhookData = {
event: 'post.create', event: 'post.create',

17
test/regression/api/v3/admin/webhooks_spec.js
View file

@ -103,6 +103,23 @@ describe('Webhooks API (v3)', function () {
}); });
}); });
it('Integration editing non-existing webhook returns 404', function () {
return request.put(localUtils.API.getApiQuery(`webhooks/5f27d0287c75da744d8615da/`))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v3/admin/', testUtils.DataGenerator.Content.api_keys[0])}`)
.send({
webhooks: [{
name: 'Edit Test'
}]
})
.expect(404);
});
it('Integration deleting non-existing webhook returns 404', function () {
return request.delete(localUtils.API.getApiQuery(`webhooks/5f27d0287c75da744d8615db/`))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v3/admin/', testUtils.DataGenerator.Content.api_keys[0])}`)
.expect(404);
});
it('Cannot edit webhooks using content api keys', function () { it('Cannot edit webhooks using content api keys', function () {
let webhookData = { let webhookData = {
event: 'post.create', event: 'post.create',