models/webhook: restrict deletion to be explicitly with repo and org ID

3 files changed, 13 insertions, 27 deletions

diff --git a/routers/api/v1/repo/hook.go b/routers/api/v1/repo/hook.go
index 4cda05c8b8..2811a4d29e 100644
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@@ -96,15 +96,6 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
 	ctx.JSON(201, convert.ToHook(ctx.Repo.RepoLink, w))
 }
 
-func DeleteHook(ctx *context.APIContext) {
-	if err := models.DeleteWebhook(ctx.ParamsInt64(":id")); err != nil {
-		ctx.Error(500, "DeleteWebhook", err)
-		return
-	}
-
-	ctx.Status(204)
-}
-
 // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
 func EditHook(ctx *context.APIContext, form api.EditHookOption) {
 	w, err := models.GetWebhookByRepoID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
@@ -171,3 +162,12 @@ func EditHook(ctx *context.APIContext, form api.EditHookOption) {
 
 	ctx.JSON(200, convert.ToHook(ctx.Repo.RepoLink, w))
 }
+
+func DeleteHook(ctx *context.APIContext) {
+	if err := models.DeleteWebhookByRepoID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id")); err != nil {
+		ctx.Error(500, "DeleteWebhookByRepoID", err)
+		return
+	}
+
+	ctx.Status(204)
+}
diff --git a/routers/org/setting.go b/routers/org/setting.go
index a938581c61..7900613b77 100644
--- a/routers/org/setting.go
+++ b/routers/org/setting.go
@@ -7,8 +7,6 @@ package org
 import (
 	"strings"
 
-	"github.com/Unknwon/com"
-
 	"github.com/gogits/gogs/models"
 	"github.com/gogits/gogs/modules/auth"
 	"github.com/gogits/gogs/modules/base"
@@ -142,18 +140,6 @@ func Webhooks(ctx *context.Context) {
 	ctx.Data["BaseLink"] = ctx.Org.OrgLink
 	ctx.Data["Description"] = ctx.Tr("org.settings.hooks_desc")
 
-	// Delete web hook.
-	remove := com.StrTo(ctx.Query("remove")).MustInt64()
-	if remove > 0 {
-		if err := models.DeleteWebhook(remove); err != nil {
-			ctx.Handle(500, "DeleteWebhook", err)
-			return
-		}
-		ctx.Flash.Success(ctx.Tr("repo.settings.remove_hook_success"))
-		ctx.Redirect(ctx.Org.OrgLink + "/settings/hooks")
-		return
-	}
-
 	ws, err := models.GetWebhooksByOrgID(ctx.Org.Organization.Id)
 	if err != nil {
 		ctx.Handle(500, "GetWebhooksByOrgId", err)
@@ -165,8 +151,8 @@ func Webhooks(ctx *context.Context) {
 }
 
 func DeleteWebhook(ctx *context.Context) {
-	if err := models.DeleteWebhook(ctx.QueryInt64("id")); err != nil {
-		ctx.Flash.Error("DeleteWebhook: " + err.Error())
+	if err := models.DeleteWebhookByOrgID(ctx.Org.Organization.Id, ctx.QueryInt64("id")); err != nil {
+		ctx.Flash.Error("DeleteWebhookByOrgID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("repo.settings.webhook_deletion_success"))
 	}
diff --git a/routers/repo/webhook.go b/routers/repo/webhook.go
index b2274033b0..22d5cfd2c6 100644
--- a/routers/repo/webhook.go
+++ b/routers/repo/webhook.go
@@ -384,8 +384,8 @@ func TestWebhook(ctx *context.Context) {
 }
 
 func DeleteWebhook(ctx *context.Context) {
-	if err := models.DeleteWebhook(ctx.QueryInt64("id")); err != nil {
-		ctx.Flash.Error("DeleteWebhook: " + err.Error())
+	if err := models.DeleteWebhookByRepoID(ctx.Repo.Repository.ID, ctx.QueryInt64("id")); err != nil {
+		ctx.Flash.Error("DeleteWebhookByRepoID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("repo.settings.webhook_deletion_success"))
 	}