Merge pull request #60555 from nextcloud/backport/60543/stable33

[stable33] fix: only allow full admins to create 'token needed' webhooks

Author: sorbaugh

apps/webhook_listeners/lib/Controller/WebhooksController.php

@@ -26,8 +26,10 @@
 use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\AppFramework\OCS\OCSNotFoundException;
 use OCP\AppFramework\OCSController;
+use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\ISession;
+use OCP\IUserSession;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -42,6 +44,8 @@ public function __construct(
 		private WebhookListenerMapper $mapper,
 		private ?string $userId,
 		private ISession $session,
+		private IUserSession $userSession,
+		private IGroupManager $groupManager,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -150,6 +154,12 @@ public function create(
 		} catch (\ValueError $e) {
 			throw new OCSBadRequestException('This auth method does not exist');
 		}
+
+		$user = $this->userSession->getUser();
+		if (!$user || !$this->groupManager->isAdmin($user->getUID())) {
+			$tokenNeeded = null;
+		}
+
 		try {
 			$webhookListener = $this->mapper->addWebhookListener(
 				$appId,