From e0b583de748f10f13bd59f4bca2ae0d843b21503 Mon Sep 17 00:00:00 2001 From: Michael Frister Date: Fri, 21 Mar 2014 14:16:02 +0100 Subject: [PATCH] Add key-based authentication (like API) and clean up a bit --- app/controllers/webhooks_controller.rb | 23 +++++++++++++---------- lib/open_project/webhooks.rb | 2 +- lib/open_project/webhooks/hook.rb | 7 ++----- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/app/controllers/webhooks_controller.rb b/app/controllers/webhooks_controller.rb index de9f4f13ef..53191596b8 100644 --- a/app/controllers/webhooks_controller.rb +++ b/app/controllers/webhooks_controller.rb @@ -30,22 +30,25 @@ require 'json' class WebhooksController < ApplicationController + accept_key_auth :handle_hook + + def api_request? + # OpenProject only allows API requests based on an Accept request header. + # Webhooks (at least GitHub) don't send an Accept header as they're not interested + # in any part of the response except the HTTP status code. + # Also handling requests with a application/json Content-Type as API requests + # should be safe regarding CSRF as browsers don't send forms as JSON. + super || request.content_type == "application/json" + end + def handle_hook hook = OpenProject::Webhooks.find(params.require 'hook_name') + if hook - code = hook.handle(env, params, find_current_user, find_project) + code = hook.handle(env, params, find_current_user) head code.is_a?(Integer) ? code : 200 else head :not_found end end - -private - # overwritten from ApplicationController to allow optional project - # and read params[:project_identifier] instead of params[:id] - def find_project - Project.find(params['project_identifier']) - rescue ActiveRecord::RecordNotFound - nil - end end diff --git a/lib/open_project/webhooks.rb b/lib/open_project/webhooks.rb index 3e41e0a6f8..247554ceb7 100644 --- a/lib/open_project/webhooks.rb +++ b/lib/open_project/webhooks.rb @@ -12,7 +12,7 @@ module OpenProject end ## - # Registeres a webhook having name and a callback. + # Registers a webhook having name and a callback. # The name will be part of the webhook-url and may be used to unregister a webhook later. # The callback is executed with two parameters when the webhook was called. # The parameters are the hook object, an environment-variables hash and a params hash of the current request. diff --git a/lib/open_project/webhooks/hook.rb b/lib/open_project/webhooks/hook.rb index 63569908be..f1ea80449b 100644 --- a/lib/open_project/webhooks/hook.rb +++ b/lib/open_project/webhooks/hook.rb @@ -12,12 +12,9 @@ module OpenProject::Webhooks "webhooks/#{name}" end - def handle(environment = Hash.new, params = Hash.new, user = nil, project = nil) - callback.call self, environment, params, user, project + def handle(environment = Hash.new, params = Hash.new, user = nil) + callback.call self, environment, params, user end - def send_event(event_name, payload) - ActiveSupport::Notifications.instrument event_name, payload - end end end