github.com/gigforks/mattermost-server@v4.9.1-0.20180619094218-800d97fa55d0+incompatible/api/webhook.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package api 5 6 import ( 7 "net/http" 8 9 "github.com/mattermost/mattermost-server/model" 10 ) 11 12 func (api *API) InitWebhook() { 13 api.BaseRoutes.Hooks.Handle("/incoming/create", api.ApiUserRequired(createIncomingHook)).Methods("POST") 14 api.BaseRoutes.Hooks.Handle("/incoming/update", api.ApiUserRequired(updateIncomingHook)).Methods("POST") 15 api.BaseRoutes.Hooks.Handle("/incoming/delete", api.ApiUserRequired(deleteIncomingHook)).Methods("POST") 16 api.BaseRoutes.Hooks.Handle("/incoming/list", api.ApiUserRequired(getIncomingHooks)).Methods("GET") 17 18 api.BaseRoutes.Hooks.Handle("/outgoing/create", api.ApiUserRequired(createOutgoingHook)).Methods("POST") 19 api.BaseRoutes.Hooks.Handle("/outgoing/update", api.ApiUserRequired(updateOutgoingHook)).Methods("POST") 20 api.BaseRoutes.Hooks.Handle("/outgoing/regen_token", api.ApiUserRequired(regenOutgoingHookToken)).Methods("POST") 21 api.BaseRoutes.Hooks.Handle("/outgoing/delete", api.ApiUserRequired(deleteOutgoingHook)).Methods("POST") 22 api.BaseRoutes.Hooks.Handle("/outgoing/list", api.ApiUserRequired(getOutgoingHooks)).Methods("GET") 23 } 24 25 func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 26 hook := model.IncomingWebhookFromJson(r.Body) 27 if hook == nil { 28 c.SetInvalidParam("createIncomingHook", "webhook") 29 return 30 } 31 32 channel, err := c.App.GetChannel(hook.ChannelId) 33 if err != nil { 34 c.Err = err 35 return 36 } 37 38 c.LogAudit("attempt") 39 40 if !c.App.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 41 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 42 return 43 } 44 45 if channel.Type != model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { 46 c.LogAudit("fail - bad channel permissions") 47 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 48 return 49 } 50 51 if incomingHook, err := c.App.CreateIncomingWebhookForChannel(c.Session.UserId, channel, hook); err != nil { 52 c.Err = err 53 return 54 } else { 55 c.LogAudit("success") 56 w.Write([]byte(incomingHook.ToJson())) 57 } 58 } 59 60 func updateIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 61 62 hook := model.IncomingWebhookFromJson(r.Body) 63 64 if hook == nil { 65 c.SetInvalidParam("updateIncomingHook", "webhook") 66 return 67 } 68 69 c.LogAudit("attempt") 70 71 oldHook, err := c.App.GetIncomingWebhook(hook.Id) 72 if err != nil { 73 c.Err = err 74 return 75 } 76 77 if c.TeamId != oldHook.TeamId { 78 c.Err = model.NewAppError("updateIncomingHook", "api.webhook.team_mismatch.app_error", nil, "user_id="+c.Session.UserId, http.StatusBadRequest) 79 return 80 } 81 82 if !c.App.SessionHasPermissionToTeam(c.Session, oldHook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 83 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 84 return 85 } 86 87 if c.Session.UserId != oldHook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, oldHook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 88 c.LogAudit("fail - inappropriate permissions") 89 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 90 return 91 } 92 93 channel, err := c.App.GetChannel(hook.ChannelId) 94 if err != nil { 95 c.Err = err 96 return 97 } 98 99 if channel.Type != model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { 100 c.LogAudit("fail - bad channel permissions") 101 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 102 return 103 } 104 105 rhook, err := c.App.UpdateIncomingWebhook(oldHook, hook) 106 if err != nil { 107 c.Err = err 108 return 109 } 110 111 c.LogAudit("success") 112 w.Write([]byte(rhook.ToJson())) 113 } 114 115 func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 116 props := model.MapFromJson(r.Body) 117 118 id := props["id"] 119 if len(id) == 0 { 120 c.SetInvalidParam("deleteIncomingHook", "id") 121 return 122 } 123 124 hook, err := c.App.GetIncomingWebhook(id) 125 if err != nil { 126 c.Err = err 127 return 128 } 129 130 if !c.App.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 131 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 132 return 133 } 134 135 c.LogAudit("attempt") 136 137 if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 138 c.LogAudit("fail - inappropriate permissions") 139 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 140 return 141 } 142 143 if err := c.App.DeleteIncomingWebhook(id); err != nil { 144 c.LogAudit("fail") 145 c.Err = err 146 return 147 } 148 149 c.LogAudit("success") 150 w.Write([]byte(model.MapToJson(props))) 151 } 152 153 func getIncomingHooks(c *Context, w http.ResponseWriter, r *http.Request) { 154 if !c.App.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 155 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 156 return 157 } 158 159 if hooks, err := c.App.GetIncomingWebhooksForTeamPage(c.TeamId, 0, 100); err != nil { 160 c.Err = err 161 return 162 } else { 163 w.Write([]byte(model.IncomingWebhookListToJson(hooks))) 164 } 165 } 166 167 func createOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 168 hook := model.OutgoingWebhookFromJson(r.Body) 169 if hook == nil { 170 c.SetInvalidParam("createOutgoingHook", "webhook") 171 return 172 } 173 174 c.LogAudit("attempt") 175 176 hook.TeamId = c.TeamId 177 hook.CreatorId = c.Session.UserId 178 179 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 180 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 181 return 182 } 183 184 if rhook, err := c.App.CreateOutgoingWebhook(hook); err != nil { 185 c.LogAudit("fail") 186 c.Err = err 187 return 188 } else { 189 c.LogAudit("success") 190 w.Write([]byte(rhook.ToJson())) 191 } 192 } 193 194 func getOutgoingHooks(c *Context, w http.ResponseWriter, r *http.Request) { 195 if !c.App.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 196 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 197 return 198 } 199 200 if hooks, err := c.App.GetOutgoingWebhooksForTeamPage(c.TeamId, 0, 100); err != nil { 201 c.Err = err 202 return 203 } else { 204 w.Write([]byte(model.OutgoingWebhookListToJson(hooks))) 205 } 206 } 207 208 func updateOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 209 c.LogAudit("attempt") 210 211 hook := model.OutgoingWebhookFromJson(r.Body) 212 213 if hook == nil { 214 c.SetInvalidParam("updateOutgoingHook", "webhook") 215 return 216 } 217 218 oldHook, err := c.App.GetOutgoingWebhook(hook.Id) 219 if err != nil { 220 c.Err = err 221 return 222 } 223 224 if c.TeamId != oldHook.TeamId { 225 c.Err = model.NewAppError("updateOutgoingHook", "api.webhook.team_mismatch.app_error", nil, "user_id="+c.Session.UserId, http.StatusForbidden) 226 return 227 } 228 229 if !c.App.SessionHasPermissionToTeam(c.Session, oldHook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 230 c.LogAudit("fail - inappropriate permissions") 231 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 232 return 233 } 234 235 if c.Session.UserId != oldHook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, oldHook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 236 c.LogAudit("fail - inappropriate permissions") 237 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 238 return 239 } 240 241 rhook, err := c.App.UpdateOutgoingWebhook(oldHook, hook) 242 if err != nil { 243 c.Err = err 244 return 245 } 246 247 c.LogAudit("success") 248 w.Write([]byte(rhook.ToJson())) 249 } 250 251 func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 252 props := model.MapFromJson(r.Body) 253 254 id := props["id"] 255 if len(id) == 0 { 256 c.SetInvalidParam("deleteIncomingHook", "id") 257 return 258 } 259 260 c.LogAudit("attempt") 261 262 if !c.App.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 263 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 264 return 265 } 266 267 hook, err := c.App.GetOutgoingWebhook(id) 268 if err != nil { 269 c.Err = err 270 return 271 } 272 273 if c.Session.UserId != hook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 274 c.LogAudit("fail - inappropriate permissions") 275 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 276 return 277 } 278 279 if err := c.App.DeleteOutgoingWebhook(id); err != nil { 280 c.LogAudit("fail") 281 c.Err = err 282 return 283 } 284 285 c.LogAudit("success") 286 w.Write([]byte(model.MapToJson(props))) 287 } 288 289 func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request) { 290 props := model.MapFromJson(r.Body) 291 292 id := props["id"] 293 if len(id) == 0 { 294 c.SetInvalidParam("regenOutgoingHookToken", "id") 295 return 296 } 297 298 hook, err := c.App.GetOutgoingWebhook(id) 299 if err != nil { 300 c.Err = err 301 return 302 } 303 304 c.LogAudit("attempt") 305 306 if c.TeamId != hook.TeamId { 307 c.Err = model.NewAppError("regenOutgoingHookToken", "api.webhook.team_mismatch.app_error", nil, "user_id="+c.Session.UserId, http.StatusForbidden) 308 return 309 } 310 311 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 312 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 313 return 314 } 315 316 if c.Session.UserId != hook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 317 c.LogAudit("fail - inappropriate permissions") 318 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 319 return 320 } 321 322 if rhook, err := c.App.RegenOutgoingWebhookToken(hook); err != nil { 323 c.Err = err 324 return 325 } else { 326 w.Write([]byte(rhook.ToJson())) 327 } 328 }