From d62ab499784386935fa20152c1c163d0ef62d31a Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Fri, 8 Jul 2016 13:57:09 +0800
Subject: #3057 retrieve webhook with repo_id

This prevents user retrieve arbitrary webhook by changing URL to
access webhook from other unauthorized repositories.
---
 models/webhook.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'models')

diff --git a/models/webhook.go b/models/webhook.go
index 6d8b8c16..7a42093b 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
 	return err
 }
 
-// GetWebhookByID returns webhook by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(repoID, id int64) (*Webhook, error) {
 	w := new(Webhook)
-	has, err := x.Id(id).Get(w)
+	has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
 		}
 
 		// Update webhook last delivery status.
-		w, err := GetWebhookByID(t.HookID)
+		w, err := GetWebhookByID(t.RepoID, t.HookID)
 		if err != nil {
 			log.Error(5, "GetWebhookByID: %v", err)
 			return
-- 
cgit v1.2.3