From 8abf62715c817eeb0584eb1c85ebf78e7f84fc6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@nextcloud.com>
Date: Mon, 24 Jun 2024 16:46:43 +0200
Subject: [PATCH] fix(webhooks): Fix userIdFiltering for webhooks calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
---
 .../lib/Db/WebhookListenerMapper.php          | 15 +++++--
 .../lib/Listener/WebhooksEventListener.php    |  2 +-
 .../tests/Db/WebhookListenerMapperTest.php    | 45 +++++++++++++++++++
 3 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/apps/webhook_listeners/lib/Db/WebhookListenerMapper.php b/apps/webhook_listeners/lib/Db/WebhookListenerMapper.php
index ad8c287ad43..55086f95668 100644
--- a/apps/webhook_listeners/lib/Db/WebhookListenerMapper.php
+++ b/apps/webhook_listeners/lib/Db/WebhookListenerMapper.php
@@ -168,7 +168,10 @@ class WebhookListenerMapper extends QBMapper {
 
 		$qb->selectDistinct('event')
 			->from($this->getTableName())
-			->where($qb->expr()->in('user_id_filter', $qb->createNamedParameter(['',$userId], IQueryBuilder::PARAM_STR_ARRAY), IQueryBuilder::PARAM_STR));
+			->where($qb->expr()->in(
+				'user_id_filter',
+				$qb->createNamedParameter(array_unique(['',$userId]), IQueryBuilder::PARAM_STR_ARRAY),
+			));
 
 		$result = $qb->executeQuery();
 
@@ -201,12 +204,18 @@ class WebhookListenerMapper extends QBMapper {
 	/**
 	 * @throws Exception
 	 */
-	public function getByEvent(string $event): array {
+	public function getByEvent(string $event, ?string $userId = null): array {
 		$qb = $this->db->getQueryBuilder();
 
 		$qb->select('*')
 			->from($this->getTableName())
-			->where($qb->expr()->eq('event', $qb->createNamedParameter($event, IQueryBuilder::PARAM_STR)));
+			->where($qb->expr()->eq('event', $qb->createNamedParameter($event, IQueryBuilder::PARAM_STR)))
+			->andWhere(
+				$qb->expr()->in(
+					'user_id_filter',
+					$qb->createNamedParameter(array_unique(['',$userId ?? '']), IQueryBuilder::PARAM_STR_ARRAY),
+				)
+			);
 
 		return $this->findEntities($qb);
 	}
diff --git a/apps/webhook_listeners/lib/Listener/WebhooksEventListener.php b/apps/webhook_listeners/lib/Listener/WebhooksEventListener.php
index 5ea4d531c9f..d0b347baed7 100644
--- a/apps/webhook_listeners/lib/Listener/WebhooksEventListener.php
+++ b/apps/webhook_listeners/lib/Listener/WebhooksEventListener.php
@@ -34,8 +34,8 @@ class WebhooksEventListener implements IEventListener {
 	}
 
 	public function handle(Event $event): void {
-		$webhookListeners = $this->mapper->getByEvent($event::class);
 		$user = $this->userSession->getUser();
+		$webhookListeners = $this->mapper->getByEvent($event::class, $user?->getUID());
 
 		foreach ($webhookListeners as $webhookListener) {
 			// TODO add group membership to be able to filter on it
diff --git a/apps/webhook_listeners/tests/Db/WebhookListenerMapperTest.php b/apps/webhook_listeners/tests/Db/WebhookListenerMapperTest.php
index 327d5740077..725d4108e03 100644
--- a/apps/webhook_listeners/tests/Db/WebhookListenerMapperTest.php
+++ b/apps/webhook_listeners/tests/Db/WebhookListenerMapperTest.php
@@ -124,4 +124,49 @@ class WebhookListenerMapperTest extends TestCase {
 		$listener1->resetUpdatedFields();
 		$this->assertEquals($listener1, $listener2);
 	}
+
+	public function testInsertListenerAndGetItByEventAndUser() {
+		$listener1 = $this->mapper->addWebhookListener(
+			null,
+			'bob',
+			'POST',
+			'https://webhook.example.com/endpoint',
+			NodeWrittenEvent::class,
+			null,
+			'alice',
+			null,
+			AuthMethod::None,
+			null,
+		);
+		$listener1->resetUpdatedFields();
+
+		$this->assertEquals([NodeWrittenEvent::class], $this->mapper->getAllConfiguredEvents('alice'));
+		$this->assertEquals([], $this->mapper->getAllConfiguredEvents(''));
+		$this->assertEquals([], $this->mapper->getAllConfiguredEvents('otherUser'));
+
+		$this->assertEquals([$listener1], $this->mapper->getByEvent(NodeWrittenEvent::class, 'alice'));
+		$this->assertEquals([], $this->mapper->getByEvent(NodeWrittenEvent::class, ''));
+		$this->assertEquals([], $this->mapper->getByEvent(NodeWrittenEvent::class, 'otherUser'));
+
+		/* Add a second listener with no user filter */
+		$listener2 = $this->mapper->addWebhookListener(
+			null,
+			'bob',
+			'POST',
+			'https://webhook.example.com/endpoint',
+			NodeWrittenEvent::class,
+			null,
+			'',
+			null,
+			AuthMethod::None,
+			null,
+		);
+		$listener2->resetUpdatedFields();
+
+		$this->assertEquals([NodeWrittenEvent::class], $this->mapper->getAllConfiguredEvents('alice'));
+		$this->assertEquals([NodeWrittenEvent::class], $this->mapper->getAllConfiguredEvents(''));
+
+		$this->assertEquals([$listener1, $listener2], $this->mapper->getByEvent(NodeWrittenEvent::class, 'alice'));
+		$this->assertEquals([$listener2], $this->mapper->getByEvent(NodeWrittenEvent::class, 'otherUser'));
+	}
 }