summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorUnknwon <u@gogs.io>2016-07-08 13:57:09 +0800
committerUnknwon <u@gogs.io>2016-07-08 13:57:09 +0800
commitd62ab499784386935fa20152c1c163d0ef62d31a (patch)
treee6104d8b2768da112b2f0051a24efc1c12ae531a /models
parente30c7013862a9d2c2ae60e403a1624e54475c4c7 (diff)
downloadgitea-d62ab499784386935fa20152c1c163d0ef62d31a.tar.gz
gitea-d62ab499784386935fa20152c1c163d0ef62d31a.zip
#3057 retrieve webhook with repo_id
This prevents user retrieve arbitrary webhook by changing URL to access webhook from other unauthorized repositories.
Diffstat (limited to 'models')
-rw-r--r--models/webhook.go8
1 files changed, 4 insertions, 4 deletions
diff --git a/models/webhook.go b/models/webhook.go
index 6d8b8c1682..7a42093b5a 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
return err
}
-// GetWebhookByID returns webhook by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(repoID, id int64) (*Webhook, error) {
w := new(Webhook)
- has, err := x.Id(id).Get(w)
+ has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
if err != nil {
return nil, err
} else if !has {
@@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
}
// Update webhook last delivery status.
- w, err := GetWebhookByID(t.HookID)
+ w, err := GetWebhookByID(t.RepoID, t.HookID)
if err != nil {
log.Error(5, "GetWebhookByID: %v", err)
return