From d62ab499784386935fa20152c1c163d0ef62d31a Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Fri, 8 Jul 2016 13:57:09 +0800
Subject: [PATCH] #3057 retrieve webhook with repo_id

This prevents user retrieve arbitrary webhook by changing URL to
access webhook from other unauthorized repositories.
---
 README.md                   | 2 +-
 gogs.go                     | 2 +-
 models/webhook.go           | 8 ++++----
 routers/api/v1/repo/hook.go | 2 +-
 routers/repo/webhook.go     | 2 +-
 templates/.VERSION          | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index e51f5c498..6f430c90f 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
+##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|
diff --git a/gogs.go b/gogs.go
index 09274060b..f62d5884f 100644
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.37.0708"
+const APP_VER = "0.9.38.0708"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
diff --git a/models/webhook.go b/models/webhook.go
index 6d8b8c168..7a42093b5 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
 	return err
 }
 
-// GetWebhookByID returns webhook by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(repoID, id int64) (*Webhook, error) {
 	w := new(Webhook)
-	has, err := x.Id(id).Get(w)
+	has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
 		}
 
 		// Update webhook last delivery status.
-		w, err := GetWebhookByID(t.HookID)
+		w, err := GetWebhookByID(t.RepoID, t.HookID)
 		if err != nil {
 			log.Error(5, "GetWebhookByID: %v", err)
 			return
diff --git a/routers/api/v1/repo/hook.go b/routers/api/v1/repo/hook.go
index 0cbe6762a..0dac8f7cf 100644
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
 
 // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
 func EditHook(ctx *context.APIContext, form api.EditHookOption) {
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Status(404)
diff --git a/routers/repo/webhook.go b/routers/repo/webhook.go
index 16aa3821a..460a430aa 100644
--- a/routers/repo/webhook.go
+++ b/routers/repo/webhook.go
@@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
 	}
 	ctx.Data["BaseLink"] = orCtx.Link
 
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Handle(404, "GetWebhookByID", nil)
diff --git a/templates/.VERSION b/templates/.VERSION
index dd6328aee..d8f833ffd 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.9.37.0708
\ No newline at end of file
+0.9.38.0708
\ No newline at end of file