Disabled changing webhook's integration_id through PUT API

refs #12033 - Allowing to change parent integration opens up possible security holes and has no clear usecase at the moment. After a webhook record is created it should not be possible to change parent integration. - Had do partially duplicate JSON schema definition from webhooks definition as there is no proper composition technique available in current version of JSON Schema.
2025-01-06 22:40:14 -05:00 · 2020-09-24 16:24:02 +12:00 · 2020-09-24 16:24:02 +12:00 · 43153ba31e
commit 43153ba31e
parent af516e130c
2 changed files with 60 additions and 2 deletions
--- a/core/server/api/canary/utils/validators/input/schemas/webhooks-edit.json
+++ b/core/server/api/canary/utils/validators/input/schemas/webhooks-edit.json
@ -10,7 +10,64 @@
            "type": "array",
            "minItems": 1,
            "maxItems": 1,
-            "items": {"$ref": "webhooks#/definitions/webhook"}
+            "items": {
+                "type": "object",
+                "additionalProperties": false,
+                "properties": {
+                    "event": {
+                        "type": "string",
+                        "maxLength": 50,
+                        "isLowercase": true
+                    },
+                    "target_url": {
+                        "type": "string",
+                        "format": "uri-reference",
+                        "maxLength": 2000
+                    },
+                    "name": {
+                        "type": ["string", "null"],
+                        "maxLength": 191
+                    },
+                    "secret": {
+                        "type": ["string", "null"],
+                        "maxLength": 191
+                    },
+                    "api_version": {
+                        "type": ["string", "null"],
+                        "maxLength": 50
+                    },
+                    "integration_id": {
+                        "strip": true
+                    },
+                    "id": {
+                        "strip": true
+                    },
+                    "status": {
+                        "strip": true
+                    },
+                    "last_triggered_at": {
+                        "strip": true
+                    },
+                    "last_triggered_status": {
+                        "strip": true
+                    },
+                    "last_triggered_error": {
+                        "strip": true
+                    },
+                    "created_at": {
+                        "strip": true
+                    },
+                    "created_by": {
+                        "strip": true
+                    },
+                    "updated_at": {
+                        "strip": true
+                    },
+                    "updated_by": {
+                        "strip": true
+                    }
+                }
+            }
        }
    },
    "required": ["webhooks"]
--- a/test/api-acceptance/admin/webhooks_spec.js
+++ b/test/api-acceptance/admin/webhooks_spec.js
@ -99,7 +99,8 @@ describe('Webhooks API', function () {
                        webhooks: [{
                            name: 'Edit Test',
                            event: 'subscriber.added',
-                            target_url: 'https://example.com/new-subscriber'
+                            target_url: 'https://example.com/new-subscriber',
+                            integration_id: 'ignore_me'
                        }]
                    })
                    .expect(200)