diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx index 7d25e5fdd4c847..86928df4c68a92 100644 --- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx +++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx @@ -1,8 +1,15 @@ import type { PageProps } from "app/_types"; import { _generateMetadata } from "app/_utils"; +import { cookies, headers } from "next/headers"; +import { notFound, redirect } from "next/navigation"; +import { getServerSession } from "@calcom/features/auth/lib/getServerSession"; +import { PermissionCheckService } from "@calcom/features/pbac/services/permission-check.service"; import { WebhookRepository } from "@calcom/features/webhooks/lib/repository/WebhookRepository"; import { APP_NAME } from "@calcom/lib/constants"; +import { MembershipRole } from "@calcom/prisma/enums"; + +import { buildLegacyRequest } from "@lib/buildLegacyCtx"; import { EditWebhookView } from "~/webhooks/views/webhook-edit-view"; @@ -16,12 +23,33 @@ export const generateMetadata = async ({ params }: { params: Promise<{ id: strin ); const Page = async ({ params: _params }: PageProps) => { + const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) }); + if (!session?.user?.id) { + return redirect("/auth/login"); + } + const params = await _params; const id = typeof params?.id === "string" ? params.id : undefined; const webhookRepository = WebhookRepository.getInstance(); const webhook = await webhookRepository.findByWebhookId(id); + // Ownership check: align with PBAC middleware in webhook/util.ts + if (webhook.teamId) { + const permissionService = new PermissionCheckService(); + const hasPermission = await permissionService.checkPermission({ + userId: session.user.id, + teamId: webhook.teamId, + permission: "webhook.read", + fallbackRoles: [MembershipRole.ADMIN, MembershipRole.OWNER, MembershipRole.MEMBER], + }); + if (!hasPermission) { + notFound(); + } + } else if (webhook.userId !== session.user.id) { + notFound(); + } + return ; }; diff --git a/packages/trpc/server/routers/viewer/dsync/_router.tsx b/packages/trpc/server/routers/viewer/dsync/_router.tsx index 57301b09826514..6954aa027ab7f2 100644 --- a/packages/trpc/server/routers/viewer/dsync/_router.tsx +++ b/packages/trpc/server/routers/viewer/dsync/_router.tsx @@ -1,4 +1,4 @@ -import authedOrgAdminProcedure from "../../../procedures/authedProcedure"; +import { authedOrgAdminProcedure } from "../../../procedures/authedProcedure"; import { router } from "../../../trpc"; import { ZCreateInputSchema } from "./create.schema"; import { ZDeleteInputSchema } from "./delete.schema"; diff --git a/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx b/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx index 1edffe60aaff04..3ad6437df308f7 100644 --- a/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx +++ b/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx @@ -1,4 +1,4 @@ -import authedOrgAdminProcedure from "@calcom/trpc/server/procedures/authedProcedure"; +import { authedOrgAdminProcedure } from "@calcom/trpc/server/procedures/authedProcedure"; import { router } from "@calcom/trpc/server/trpc"; import { ZCreateInputSchema } from "./create.schema";