#3057 retrieve webhook with repo_id

This prevents user retrieve arbitrary webhook by changing URL to
access webhook from other unauthorized repositories.

6 files changed, 9 insertions, 9 deletions

diff --git a/README.md b/README.md
index e51f5c4984..6f430c90f0 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
+##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|
diff --git a/gogs.go b/gogs.go
index 09274060bb..f62d5884fd 100644
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.37.0708"
+const APP_VER = "0.9.38.0708"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
diff --git a/models/webhook.go b/models/webhook.go
index 6d8b8c1682..7a42093b5a 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
 	return err
 }
 
-// GetWebhookByID returns webhook by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(repoID, id int64) (*Webhook, error) {
 	w := new(Webhook)
-	has, err := x.Id(id).Get(w)
+	has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
 		}
 
 		// Update webhook last delivery status.
-		w, err := GetWebhookByID(t.HookID)
+		w, err := GetWebhookByID(t.RepoID, t.HookID)
 		if err != nil {
 			log.Error(5, "GetWebhookByID: %v", err)
 			return
diff --git a/routers/api/v1/repo/hook.go b/routers/api/v1/repo/hook.go
index 0cbe6762a8..0dac8f7cf1 100644
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
 
 // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
 func EditHook(ctx *context.APIContext, form api.EditHookOption) {
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Status(404)
diff --git a/routers/repo/webhook.go b/routers/repo/webhook.go
index 16aa3821a8..460a430aad 100644
--- a/routers/repo/webhook.go
+++ b/routers/repo/webhook.go
@@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
 	}
 	ctx.Data["BaseLink"] = orCtx.Link
 
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Handle(404, "GetWebhookByID", nil)
diff --git a/templates/.VERSION b/templates/.VERSION
index dd6328aeec..d8f833ffde 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.9.37.0708
\ No newline at end of file
+0.9.38.0708
\ No newline at end of file