From eb1b9247ad5f5c3a2141db7c8d9989f60443abe3 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:15:37 +0200
Subject: [PATCH] feat(webhooks): prevent link shares from managing webhooks

---
 pkg/models/webhooks_rights.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/pkg/models/webhooks_rights.go b/pkg/models/webhooks_rights.go
index fed8483be20..b5cc88bd3b7 100644
--- a/pkg/models/webhooks_rights.go
+++ b/pkg/models/webhooks_rights.go
@@ -27,16 +27,23 @@ func (w *Webhook) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
 }
 
 func (w *Webhook) CanDelete(s *xorm.Session, a web.Auth) (bool, error) {
-	p := &Project{ID: w.ProjectID}
-	return p.CanUpdate(s, a)
+	return w.canDoWebhook(s, a)
 }
 
 func (w *Webhook) CanUpdate(s *xorm.Session, a web.Auth) (bool, error) {
-	p := &Project{ID: w.ProjectID}
-	return p.CanUpdate(s, a)
+	return w.canDoWebhook(s, a)
 }
 
 func (w *Webhook) CanCreate(s *xorm.Session, a web.Auth) (bool, error) {
+	return w.canDoWebhook(s, a)
+}
+
+func (w *Webhook) canDoWebhook(s *xorm.Session, a web.Auth) (bool, error) {
+	_, isShareAuth := a.(*LinkSharing)
+	if isShareAuth {
+		return false, nil
+	}
+
 	p := &Project{ID: w.ProjectID}
 	return p.CanUpdate(s, a)
 }