From a657723e1ce998e64f1b38c1eb6994e55adb3bd6 Mon Sep 17 00:00:00 2001 From: Pedro Castro Date: Tue, 14 Apr 2026 00:46:46 -0300 Subject: [PATCH 1/2] fix: add session and permission checks to webhook settings page (#28769) --- .../developer/webhooks/[id]/page.tsx | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx index 7d25e5fdd4c847..86928df4c68a92 100644 --- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx +++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx @@ -1,8 +1,15 @@ import type { PageProps } from "app/_types"; import { _generateMetadata } from "app/_utils"; +import { cookies, headers } from "next/headers"; +import { notFound, redirect } from "next/navigation"; +import { getServerSession } from "@calcom/features/auth/lib/getServerSession"; +import { PermissionCheckService } from "@calcom/features/pbac/services/permission-check.service"; import { WebhookRepository } from "@calcom/features/webhooks/lib/repository/WebhookRepository"; import { APP_NAME } from "@calcom/lib/constants"; +import { MembershipRole } from "@calcom/prisma/enums"; + +import { buildLegacyRequest } from "@lib/buildLegacyCtx"; import { EditWebhookView } from "~/webhooks/views/webhook-edit-view"; @@ -16,12 +23,33 @@ export const generateMetadata = async ({ params }: { params: Promise<{ id: strin ); const Page = async ({ params: _params }: PageProps) => { + const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) }); + if (!session?.user?.id) { + return redirect("/auth/login"); + } + const params = await _params; const id = typeof params?.id === "string" ? params.id : undefined; const webhookRepository = WebhookRepository.getInstance(); const webhook = await webhookRepository.findByWebhookId(id); + // Ownership check: align with PBAC middleware in webhook/util.ts + if (webhook.teamId) { + const permissionService = new PermissionCheckService(); + const hasPermission = await permissionService.checkPermission({ + userId: session.user.id, + teamId: webhook.teamId, + permission: "webhook.read", + fallbackRoles: [MembershipRole.ADMIN, MembershipRole.OWNER, MembershipRole.MEMBER], + }); + if (!hasPermission) { + notFound(); + } + } else if (webhook.userId !== session.user.id) { + notFound(); + } + return ; }; From 053fb56b790c8cc84f07f4fdd9e473319768b026 Mon Sep 17 00:00:00 2001 From: Pedro Castro Date: Tue, 14 Apr 2026 02:41:25 -0300 Subject: [PATCH 2/2] refactor: use named import for authedOrgAdminProcedure in dsync routers (#28877) Co-authored-by: Sahitya Chandra --- packages/trpc/server/routers/viewer/dsync/_router.tsx | 2 +- .../server/routers/viewer/dsync/teamGroupMapping/_router.tsx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/trpc/server/routers/viewer/dsync/_router.tsx b/packages/trpc/server/routers/viewer/dsync/_router.tsx index 57301b09826514..6954aa027ab7f2 100644 --- a/packages/trpc/server/routers/viewer/dsync/_router.tsx +++ b/packages/trpc/server/routers/viewer/dsync/_router.tsx @@ -1,4 +1,4 @@ -import authedOrgAdminProcedure from "../../../procedures/authedProcedure"; +import { authedOrgAdminProcedure } from "../../../procedures/authedProcedure"; import { router } from "../../../trpc"; import { ZCreateInputSchema } from "./create.schema"; import { ZDeleteInputSchema } from "./delete.schema"; diff --git a/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx b/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx index 1edffe60aaff04..3ad6437df308f7 100644 --- a/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx +++ b/packages/trpc/server/routers/viewer/dsync/teamGroupMapping/_router.tsx @@ -1,4 +1,4 @@ -import authedOrgAdminProcedure from "@calcom/trpc/server/procedures/authedProcedure"; +import { authedOrgAdminProcedure } from "@calcom/trpc/server/procedures/authedProcedure"; import { router } from "@calcom/trpc/server/trpc"; import { ZCreateInputSchema } from "./create.schema";