diff options
author | Unknwon <u@gogs.io> | 2016-07-08 13:57:09 +0800 |
---|---|---|
committer | Unknwon <u@gogs.io> | 2016-07-08 13:57:09 +0800 |
commit | d62ab499784386935fa20152c1c163d0ef62d31a (patch) | |
tree | e6104d8b2768da112b2f0051a24efc1c12ae531a /models | |
parent | e30c7013862a9d2c2ae60e403a1624e54475c4c7 (diff) | |
download | gitea-d62ab499784386935fa20152c1c163d0ef62d31a.tar.gz gitea-d62ab499784386935fa20152c1c163d0ef62d31a.zip |
#3057 retrieve webhook with repo_id
This prevents user retrieve arbitrary webhook by changing URL to
access webhook from other unauthorized repositories.
Diffstat (limited to 'models')
-rw-r--r-- | models/webhook.go | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/models/webhook.go b/models/webhook.go index 6d8b8c1682..7a42093b5a 100644 --- a/models/webhook.go +++ b/models/webhook.go @@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error { return err } -// GetWebhookByID returns webhook by given ID. -func GetWebhookByID(id int64) (*Webhook, error) { +// GetWebhookByID returns webhook of repository by given ID. +func GetWebhookByID(repoID, id int64) (*Webhook, error) { w := new(Webhook) - has, err := x.Id(id).Get(w) + has, err := x.Id(id).And("repo_id=?", repoID).Get(w) if err != nil { return nil, err } else if !has { @@ -548,7 +548,7 @@ func (t *HookTask) deliver() { } // Update webhook last delivery status. - w, err := GetWebhookByID(t.HookID) + w, err := GetWebhookByID(t.RepoID, t.HookID) if err != nil { log.Error(5, "GetWebhookByID: %v", err) return |