Fix webhooks incoming params overriding action

app/controllers/webhooks/incoming/hooks_controller.rb

@@ -20,6 +20,13 @@ module Webhooks
     class HooksController < ApplicationController
       accept_key_auth :handle_hook
 
+      # Disable CSRF detection since we openly welcome POSTs here!
+      skip_before_action :verify_authenticity_token
+
+      # Wrap the JSON body as 'payload' param
+      # making it available as params[:payload]
+      wrap_parameters :payload
+
       def api_request?
         # OpenProject only allows API requests based on an Accept request header.
         # Webhooks (at least GitHub) don't send an Accept header as they're not interested
@@ -33,7 +40,7 @@ module Webhooks
         hook = OpenProject::Webhooks.find(params.require 'hook_name')
 
         if hook
-          code = hook.handle(env, params, find_current_user)
+          code = hook.handle(request, params, find_current_user)
           head code.is_a?(Integer) ? code : 200
         else
           head :not_found

lib/open_project/webhooks/hook.rb

@@ -26,8 +26,8 @@ module OpenProject::Webhooks
       "webhooks/#{name}"
     end
 
-    def handle(environment = Hash.new, params = Hash.new, user = nil)
+    def handle(request = Hash.new, params = Hash.new, user = nil)
-      callback.call self, environment, params, user
+      callback.call self, request, params, user
     end
 
   end