Add key-based authentication (like API) and clean up a bit

11 years ago · e0b583de74
parent 0c2715bf45
commit e0b583de74
3 changed files with 16 additions and 16 deletions
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@ -30,22 +30,25 @@
 require 'json'

 class WebhooksController < ApplicationController
+  accept_key_auth :handle_hook
+
+  def api_request?
+    # OpenProject only allows API requests based on an Accept request header.
+    # Webhooks (at least GitHub) don't send an Accept header as they're not interested
+    # in any part of the response except the HTTP status code.
+    # Also handling requests with a application/json Content-Type as API requests
+    # should be safe regarding CSRF as browsers don't send forms as JSON.
+    super || request.content_type == "application/json"
+  end
+
  def handle_hook
    hook = OpenProject::Webhooks.find(params.require 'hook_name')
+
    if hook
-      code = hook.handle(env, params, find_current_user, find_project)
+      code = hook.handle(env, params, find_current_user)
      head code.is_a?(Integer) ? code : 200
    else
      head :not_found
    end
  end
-
-private
-  # overwritten from ApplicationController to allow optional project
-  # and read params[:project_identifier] instead of params[:id]
-  def find_project
-    Project.find(params['project_identifier'])
-  rescue ActiveRecord::RecordNotFound
-    nil
-  end
 end
--- a/lib/open_project/webhooks.rb
+++ b/lib/open_project/webhooks.rb
@ -12,7 +12,7 @@ module OpenProject
    end

    ##
-    # Registeres a webhook having name and a callback.
+    # Registers a webhook having name and a callback.
    # The name will be part of the webhook-url and may be used to unregister a webhook later.
    # The callback is executed with two parameters when the webhook was called.
    #    The parameters are the hook object, an environment-variables hash and a params hash of the current request.
--- a/lib/open_project/webhooks/hook.rb
+++ b/lib/open_project/webhooks/hook.rb
@ -12,12 +12,9 @@ module OpenProject::Webhooks
      "webhooks/#{name}"
    end

-    def handle(environment = Hash.new, params = Hash.new, user = nil, project = nil)
-      callback.call self, environment, params, user, project
+    def handle(environment = Hash.new, params = Hash.new, user = nil)
+      callback.call self, environment, params, user
    end

-    def send_event(event_name, payload)
-      ActiveSupport::Notifications.instrument event_name, payload
-    end
  end
 end