Merge pull request #537 from traPtitech/update_webhook_api

Update webhook api

docs/swagger.yaml

@@ -3278,6 +3278,8 @@ components:
           type: string
         description:
           type: string
+        secure:
+          type: boolean
         channelId:
           type: string
           format: uuid

rbac/permission/bot.go

@@ -11,6 +11,8 @@ var (
 	EditWebhook = gorbac.NewStdPermission("edit_webhook")
 	// DeleteWebhook Webhook削除権限
 	DeleteWebhook = gorbac.NewStdPermission("delete_webhook")
+	// AccessOthersWebhook 他人のWebhookのアクセス権限
+	AccessOthersWebhook = gorbac.NewStdPermission("access_others_webhook")
 
 	// GetBot Bot情報取得権限
 	GetBot = gorbac.NewStdPermission("get_bot")

rbac/permission/list.go

@@ -86,10 +86,11 @@ var list = map[string]gorbac.Permission{
 	GetHeartbeat.ID():  GetHeartbeat,
 	PostHeartbeat.ID(): PostHeartbeat,
 
-	GetWebhook.ID():    GetWebhook,
-	CreateWebhook.ID(): CreateWebhook,
-	EditWebhook.ID():   EditWebhook,
-	DeleteWebhook.ID(): DeleteWebhook,
+	GetWebhook.ID():          GetWebhook,
+	CreateWebhook.ID():       CreateWebhook,
+	EditWebhook.ID():         EditWebhook,
+	DeleteWebhook.ID():       DeleteWebhook,
+	AccessOthersWebhook.ID(): AccessOthersWebhook,
 
 	GetBot.ID():          GetBot,
 	CreateBot.ID():       CreateBot,

rbac/role/roles.go

@@ -168,6 +168,8 @@ func SetRole(rbac *rbac.RBAC) {
 			permission.OperateForRestrictedTag,
 			permission.EditTag,
 
+			permission.AccessOthersWebhook,
+
 			permission.EditStampName,
 			permission.EditStampCreatedByOthers,
 			permission.DeleteStamp,

router/middleware.go

@@ -3,6 +3,7 @@ package router
 import (
 	"fmt"
 	"github.com/gofrs/uuid"
+	"github.com/traPtitech/traQ/rbac/permission"
 	"github.com/traPtitech/traQ/rbac/role"
 	"github.com/traPtitech/traQ/repository"
 	"github.com/traPtitech/traQ/sessions"
@@ -478,7 +479,7 @@ func (h *Handlers) ValidateWebhookID(requestUserCheck bool) echo.MiddlewareFunc
 
 			if requestUserCheck {
 				user, ok := c.Get("user").(*model.User)
-				if !ok || w.GetCreatorID() != user.ID {
+				if !ok || (!h.RBAC.IsGranted(user.ID, user.Role, permission.AccessOthersWebhook) && w.GetCreatorID() != user.ID) {
 					return c.NoContent(http.StatusForbidden)
 				}
 			}

router/stamp.go

@@ -70,10 +70,9 @@ func (h *Handlers) PatchStamp(c echo.Context) error {
 	user := getRequestUser(c)
 	stampID := getRequestParamAsUUID(c, paramStampID)
 	stamp := getStampFromContext(c)
-	r := getRBAC(c)
 
 	// ユーザー確認
-	if stamp.CreatorID != user.ID && !r.IsGranted(user.ID, user.Role, permission.EditStampCreatedByOthers) {
+	if stamp.CreatorID != user.ID && !h.RBAC.IsGranted(user.ID, user.Role, permission.EditStampCreatedByOthers) {
 		return echo.NewHTTPError(http.StatusForbidden, "you are not permitted to edit stamp created by others")
 	}
 
@@ -82,7 +81,7 @@ func (h *Handlers) PatchStamp(c echo.Context) error {
 	name := c.FormValue("name")
 	if len(name) > 0 {
 		// 権限確認
-		if !r.IsGranted(user.ID, user.Role, permission.EditStampName) {
+		if !h.RBAC.IsGranted(user.ID, user.Role, permission.EditStampName) {
 			return echo.NewHTTPError(http.StatusForbidden, "you are not permitted to change stamp name")
 		}
 		// 名前を検証

router/tags.go

@@ -56,9 +56,8 @@ func (h *Handlers) PostUserTag(c echo.Context) error {
 	// 操作制約付きタグ
 	if t.Restricted {
 		reqUser := getRequestUser(c)
-		r := getRBAC(c)
 
-		if !r.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
+		if !h.RBAC.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
 			return echo.NewHTTPError(http.StatusForbidden)
 		}
 	}
@@ -142,9 +141,7 @@ func (h *Handlers) DeleteUserTag(c echo.Context) error {
 	// 操作制約付きタグ
 	if ut.Tag.Restricted {
 		reqUser := getRequestUser(c)
-		r := getRBAC(c)
-
-		if !r.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
+		if !h.RBAC.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
 			return echo.NewHTTPError(http.StatusForbidden)
 		}
 	}
@@ -224,9 +221,8 @@ func (h *Handlers) PatchTag(c echo.Context) error {
 	// 制約変更
 	if req.Restrict != nil {
 		reqUser := getRequestUser(c)
-		r := getRBAC(c)
 
-		if !r.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
+		if !h.RBAC.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
 			return echo.NewHTTPError(http.StatusForbidden)
 		}
 
@@ -238,9 +234,8 @@ func (h *Handlers) PatchTag(c echo.Context) error {
 	// タグタイプ変更
 	if req.Type != nil {
 		reqUser := getRequestUser(c)
-		r := getRBAC(c)
 
-		if !r.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
+		if !h.RBAC.IsGranted(reqUser.ID, reqUser.Role, permission.OperateForRestrictedTag) {
 			return echo.NewHTTPError(http.StatusForbidden)
 		}
 

router/users.go

@@ -156,7 +156,7 @@ func (h *Handlers) GetUserByID(c echo.Context) error {
 func (h *Handlers) GetUserIcon(c echo.Context) error {
 	user := getUserFromContext(c)
 
-	if _, ok := c.QueryParams()["thumb"]; ok {
+	if hasQuery(c, "thumb") {
 		return c.Redirect(http.StatusFound, fmt.Sprintf("/api/1.0/files/%s/thumbnail", user.Icon))
 	}
 
@@ -166,7 +166,7 @@ func (h *Handlers) GetUserIcon(c echo.Context) error {
 // GetMyIcon GET /users/me/icon
 func (h *Handlers) GetMyIcon(c echo.Context) error {
 	user := getRequestUser(c)
-	if _, ok := c.QueryParams()["thumb"]; ok {
+	if hasQuery(c, "thumb") {
 		return c.Redirect(http.StatusFound, fmt.Sprintf("/api/1.0/files/%s/thumbnail", user.Icon))
 	}
 	return c.Redirect(http.StatusFound, fmt.Sprintf("/api/1.0/files/%s", user.Icon))

router/utils.go

@@ -271,10 +271,6 @@ func getRequestParamAsUUID(c echo.Context, name string) uuid.UUID {
 	return uuid.FromStringOrNil(c.Param(name))
 }
 
-func getRBAC(c echo.Context) *rbac.RBAC {
-	return c.Get("rbac").(*rbac.RBAC)
-}
-
 // GetTraceID トレースIDを返します
 func GetTraceID(c echo.Context) string {
 	v, ok := c.Get(traceIDKey).(string)
@@ -295,3 +291,8 @@ func (h *Handlers) requestContextLogger(c echo.Context) *zap.Logger {
 	c.Set(loggerKey, l)
 	return l
 }
+
+func hasQuery(c echo.Context, query string) bool {
+	_, ok := c.QueryParams()[query]
+	return ok
+}

router/webhooks.go

@@ -8,6 +8,7 @@ import (
 	"github.com/gofrs/uuid"
 	"github.com/labstack/echo"
 	"github.com/traPtitech/traQ/model"
+	"github.com/traPtitech/traQ/rbac/permission"
 	"github.com/traPtitech/traQ/repository"
 	"github.com/traPtitech/traQ/utils"
 	"go.uber.org/zap"
@@ -24,6 +25,7 @@ type webhookForResponse struct {
 	BotUserID   string    `json:"botUserId"`
 	DisplayName string    `json:"displayName"`
 	Description string    `json:"description"`
+	Secure      bool      `json:"secure"`
 	ChannelID   string    `json:"channelId"`
 	CreatorID   string    `json:"creatorId"`
 	CreatedAt   time.Time `json:"createdAt"`
@@ -43,9 +45,17 @@ func LoadWebhookTemplate(pattern string) {
 
 // GetWebhooks GET /webhooks
 func (h *Handlers) GetWebhooks(c echo.Context) error {
-	userID := getRequestUserID(c)
+	user := getRequestUser(c)
 
-	list, err := h.Repo.GetWebhooksByCreator(userID)
+	var (
+		list []model.Webhook
+		err  error
+	)
+	if c.QueryParam("all") == "1" && h.RBAC.IsGranted(user.ID, user.Role, permission.AccessOthersWebhook) {
+		list, err = h.Repo.GetAllWebhooks()
+	} else {
+		list, err = h.Repo.GetWebhooksByCreator(user.ID)
+	}
 	if err != nil {
 		h.requestContextLogger(c).Error(unexpectedError, zap.Error(err))
 		return echo.NewHTTPError(http.StatusInternalServerError)
@@ -459,6 +469,7 @@ func formatWebhook(w model.Webhook) *webhookForResponse {
 		BotUserID:   w.GetBotUserID().String(),
 		DisplayName: w.GetName(),
 		Description: w.GetDescription(),
+		Secure:      len(w.GetSecret()) > 0,
 		ChannelID:   w.GetChannelID().String(),
 		CreatorID:   w.GetCreatorID().String(),
 		CreatedAt:   w.GetCreatedAt(),