github.com/qichengzx/mattermost-server@v4.5.1-0.20180604164826-2c75247c97d0+incompatible/api4/webhook.go (about) 1 // Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package api4 5 6 import ( 7 "net/http" 8 9 "github.com/mattermost/mattermost-server/model" 10 ) 11 12 func (api *API) InitWebhook() { 13 api.BaseRoutes.IncomingHooks.Handle("", api.ApiSessionRequired(createIncomingHook)).Methods("POST") 14 api.BaseRoutes.IncomingHooks.Handle("", api.ApiSessionRequired(getIncomingHooks)).Methods("GET") 15 api.BaseRoutes.IncomingHook.Handle("", api.ApiSessionRequired(getIncomingHook)).Methods("GET") 16 api.BaseRoutes.IncomingHook.Handle("", api.ApiSessionRequired(updateIncomingHook)).Methods("PUT") 17 api.BaseRoutes.IncomingHook.Handle("", api.ApiSessionRequired(deleteIncomingHook)).Methods("DELETE") 18 19 api.BaseRoutes.OutgoingHooks.Handle("", api.ApiSessionRequired(createOutgoingHook)).Methods("POST") 20 api.BaseRoutes.OutgoingHooks.Handle("", api.ApiSessionRequired(getOutgoingHooks)).Methods("GET") 21 api.BaseRoutes.OutgoingHook.Handle("", api.ApiSessionRequired(getOutgoingHook)).Methods("GET") 22 api.BaseRoutes.OutgoingHook.Handle("", api.ApiSessionRequired(updateOutgoingHook)).Methods("PUT") 23 api.BaseRoutes.OutgoingHook.Handle("", api.ApiSessionRequired(deleteOutgoingHook)).Methods("DELETE") 24 api.BaseRoutes.OutgoingHook.Handle("/regen_token", api.ApiSessionRequired(regenOutgoingHookToken)).Methods("POST") 25 } 26 27 func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 28 hook := model.IncomingWebhookFromJson(r.Body) 29 if hook == nil { 30 c.SetInvalidParam("incoming_webhook") 31 return 32 } 33 34 channel, err := c.App.GetChannel(hook.ChannelId) 35 if err != nil { 36 c.Err = err 37 return 38 } 39 40 c.LogAudit("attempt") 41 42 if !c.App.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 43 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 44 return 45 } 46 47 if channel.Type != model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { 48 c.LogAudit("fail - bad channel permissions") 49 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 50 return 51 } 52 53 if incomingHook, err := c.App.CreateIncomingWebhookForChannel(c.Session.UserId, channel, hook); err != nil { 54 c.Err = err 55 return 56 } else { 57 c.LogAudit("success") 58 w.WriteHeader(http.StatusCreated) 59 w.Write([]byte(incomingHook.ToJson())) 60 } 61 } 62 63 func updateIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 64 c.RequireHookId() 65 if c.Err != nil { 66 return 67 } 68 69 hookId := c.Params.HookId 70 71 updatedHook := model.IncomingWebhookFromJson(r.Body) 72 if updatedHook == nil { 73 c.SetInvalidParam("incoming_webhook") 74 return 75 } 76 77 c.LogAudit("attempt") 78 79 oldHook, err := c.App.GetIncomingWebhook(hookId) 80 if err != nil { 81 c.Err = err 82 return 83 } 84 85 if updatedHook.TeamId == "" { 86 updatedHook.TeamId = oldHook.TeamId 87 } 88 89 if updatedHook.TeamId != oldHook.TeamId { 90 c.Err = model.NewAppError("updateIncomingHook", "api.webhook.team_mismatch.app_error", nil, "user_id="+c.Session.UserId, http.StatusBadRequest) 91 return 92 } 93 94 if !c.App.SessionHasPermissionToTeam(c.Session, updatedHook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 95 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 96 return 97 } 98 99 if c.Session.UserId != oldHook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, updatedHook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 100 c.LogAudit("fail - inappropriate permissions") 101 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 102 return 103 } 104 105 channel, err := c.App.GetChannel(updatedHook.ChannelId) 106 if err != nil { 107 c.Err = err 108 return 109 } 110 111 if channel.Type != model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { 112 c.LogAudit("fail - bad channel permissions") 113 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 114 return 115 } 116 117 if incomingHook, err := c.App.UpdateIncomingWebhook(oldHook, updatedHook); err != nil { 118 c.Err = err 119 return 120 } else { 121 c.LogAudit("success") 122 w.WriteHeader(http.StatusCreated) 123 w.Write([]byte(incomingHook.ToJson())) 124 } 125 } 126 127 func getIncomingHooks(c *Context, w http.ResponseWriter, r *http.Request) { 128 teamId := r.URL.Query().Get("team_id") 129 130 var hooks []*model.IncomingWebhook 131 var err *model.AppError 132 133 if len(teamId) > 0 { 134 if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_MANAGE_WEBHOOKS) { 135 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 136 return 137 } 138 139 hooks, err = c.App.GetIncomingWebhooksForTeamPage(teamId, c.Params.Page, c.Params.PerPage) 140 } else { 141 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_WEBHOOKS) { 142 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 143 return 144 } 145 146 hooks, err = c.App.GetIncomingWebhooksPage(c.Params.Page, c.Params.PerPage) 147 } 148 149 if err != nil { 150 c.Err = err 151 return 152 } 153 154 w.Write([]byte(model.IncomingWebhookListToJson(hooks))) 155 } 156 157 func getIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 158 c.RequireHookId() 159 if c.Err != nil { 160 return 161 } 162 163 hookId := c.Params.HookId 164 165 var err *model.AppError 166 var hook *model.IncomingWebhook 167 var channel *model.Channel 168 169 if hook, err = c.App.GetIncomingWebhook(hookId); err != nil { 170 c.Err = err 171 return 172 } else { 173 channel, err = c.App.GetChannel(hook.ChannelId) 174 if err != nil { 175 c.Err = err 176 return 177 } 178 179 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) || 180 (channel.Type != model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, hook.ChannelId, model.PERMISSION_READ_CHANNEL)) { 181 c.LogAudit("fail - bad permissions") 182 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 183 return 184 } 185 186 if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 187 c.LogAudit("fail - inappropriate permissions") 188 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 189 return 190 } 191 192 w.Write([]byte(hook.ToJson())) 193 return 194 } 195 } 196 197 func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { 198 c.RequireHookId() 199 if c.Err != nil { 200 return 201 } 202 203 hookId := c.Params.HookId 204 205 var err *model.AppError 206 var hook *model.IncomingWebhook 207 var channel *model.Channel 208 209 if hook, err = c.App.GetIncomingWebhook(hookId); err != nil { 210 c.Err = err 211 return 212 } else { 213 channel, err = c.App.GetChannel(hook.ChannelId) 214 if err != nil { 215 c.Err = err 216 return 217 } 218 219 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) || 220 (channel.Type != model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, hook.ChannelId, model.PERMISSION_READ_CHANNEL)) { 221 c.LogAudit("fail - bad permissions") 222 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 223 return 224 } 225 226 if c.Session.UserId != hook.UserId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 227 c.LogAudit("fail - inappropriate permissions") 228 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 229 return 230 } 231 232 if err = c.App.DeleteIncomingWebhook(hookId); err != nil { 233 c.Err = err 234 return 235 } 236 237 ReturnStatusOK(w) 238 } 239 } 240 241 func updateOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 242 c.RequireHookId() 243 if c.Err != nil { 244 return 245 } 246 247 toUpdateHook := model.OutgoingWebhookFromJson(r.Body) 248 if toUpdateHook == nil { 249 c.SetInvalidParam("outgoing_webhook") 250 return 251 } 252 253 c.LogAudit("attempt") 254 255 toUpdateHook.CreatorId = c.Session.UserId 256 257 if !c.App.SessionHasPermissionToTeam(c.Session, toUpdateHook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 258 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 259 return 260 } 261 262 oldHook, err := c.App.GetOutgoingWebhook(toUpdateHook.Id) 263 if err != nil { 264 c.Err = err 265 return 266 } 267 268 if c.Session.UserId != oldHook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, oldHook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 269 c.LogAudit("fail - inappropriate permissions") 270 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 271 return 272 } 273 274 rhook, err := c.App.UpdateOutgoingWebhook(oldHook, toUpdateHook) 275 if err != nil { 276 c.Err = err 277 return 278 } 279 280 c.LogAudit("success") 281 w.Write([]byte(rhook.ToJson())) 282 } 283 284 func createOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 285 hook := model.OutgoingWebhookFromJson(r.Body) 286 if hook == nil { 287 c.SetInvalidParam("outgoing_webhook") 288 return 289 } 290 291 c.LogAudit("attempt") 292 293 hook.CreatorId = c.Session.UserId 294 295 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 296 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 297 return 298 } 299 300 if rhook, err := c.App.CreateOutgoingWebhook(hook); err != nil { 301 c.LogAudit("fail") 302 c.Err = err 303 return 304 } else { 305 c.LogAudit("success") 306 w.WriteHeader(http.StatusCreated) 307 w.Write([]byte(rhook.ToJson())) 308 } 309 } 310 311 func getOutgoingHooks(c *Context, w http.ResponseWriter, r *http.Request) { 312 channelId := r.URL.Query().Get("channel_id") 313 teamId := r.URL.Query().Get("team_id") 314 315 var hooks []*model.OutgoingWebhook 316 var err *model.AppError 317 318 if len(channelId) > 0 { 319 if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_MANAGE_WEBHOOKS) { 320 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 321 return 322 } 323 324 hooks, err = c.App.GetOutgoingWebhooksForChannelPage(channelId, c.Params.Page, c.Params.PerPage) 325 } else if len(teamId) > 0 { 326 if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_MANAGE_WEBHOOKS) { 327 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 328 return 329 } 330 331 hooks, err = c.App.GetOutgoingWebhooksForTeamPage(teamId, c.Params.Page, c.Params.PerPage) 332 } else { 333 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_WEBHOOKS) { 334 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 335 return 336 } 337 338 hooks, err = c.App.GetOutgoingWebhooksPage(c.Params.Page, c.Params.PerPage) 339 } 340 341 if err != nil { 342 c.Err = err 343 return 344 } 345 346 w.Write([]byte(model.OutgoingWebhookListToJson(hooks))) 347 } 348 349 func getOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 350 c.RequireHookId() 351 if c.Err != nil { 352 return 353 } 354 355 hook, err := c.App.GetOutgoingWebhook(c.Params.HookId) 356 if err != nil { 357 c.Err = err 358 return 359 } 360 361 c.LogAudit("attempt") 362 363 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 364 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 365 return 366 } 367 368 if c.Session.UserId != hook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 369 c.LogAudit("fail - inappropriate permissions") 370 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 371 return 372 } 373 374 c.LogAudit("success") 375 w.Write([]byte(hook.ToJson())) 376 } 377 378 func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request) { 379 c.RequireHookId() 380 if c.Err != nil { 381 return 382 } 383 384 hook, err := c.App.GetOutgoingWebhook(c.Params.HookId) 385 if err != nil { 386 c.Err = err 387 return 388 } 389 390 c.LogAudit("attempt") 391 392 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 393 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 394 return 395 } 396 397 if c.Session.UserId != hook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 398 c.LogAudit("fail - inappropriate permissions") 399 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 400 return 401 } 402 403 if rhook, err := c.App.RegenOutgoingWebhookToken(hook); err != nil { 404 c.Err = err 405 return 406 } else { 407 w.Write([]byte(rhook.ToJson())) 408 } 409 } 410 411 func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { 412 c.RequireHookId() 413 if c.Err != nil { 414 return 415 } 416 417 hook, err := c.App.GetOutgoingWebhook(c.Params.HookId) 418 if err != nil { 419 c.Err = err 420 return 421 } 422 423 c.LogAudit("attempt") 424 425 if !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { 426 c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) 427 return 428 } 429 430 if c.Session.UserId != hook.CreatorId && !c.App.SessionHasPermissionToTeam(c.Session, hook.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { 431 c.LogAudit("fail - inappropriate permissions") 432 c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) 433 return 434 } 435 436 if err := c.App.DeleteOutgoingWebhook(hook.Id); err != nil { 437 c.LogAudit("fail") 438 c.Err = err 439 return 440 } 441 442 c.LogAudit("success") 443 ReturnStatusOK(w) 444 }