fix: add session and permission checks to webhook settings page (calcom#28769)

pedroccastro · web-flow · commit a657723e1ce9 · 2026-04-14T00:46:46.000-03:00
diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/webhooks/[id]/page.tsx
@@ -1,8 +1,15 @@
 import type { PageProps } from "app/_types";
 import { _generateMetadata } from "app/_utils";
+import { cookies, headers } from "next/headers";
+import { notFound, redirect } from "next/navigation";
 
+import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
+import { PermissionCheckService } from "@calcom/features/pbac/services/permission-check.service";
 import { WebhookRepository } from "@calcom/features/webhooks/lib/repository/WebhookRepository";
 import { APP_NAME } from "@calcom/lib/constants";
+import { MembershipRole } from "@calcom/prisma/enums";
+
+import { buildLegacyRequest } from "@lib/buildLegacyCtx";
 
 import { EditWebhookView } from "~/webhooks/views/webhook-edit-view";
 
@@ -16,12 +23,33 @@ export const generateMetadata = async ({ params }: { params: Promise<{ id: strin
   );
 
 const Page = async ({ params: _params }: PageProps) => {
+  const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) });
+  if (!session?.user?.id) {
+    return redirect("/auth/login");
+  }
+
   const params = await _params;
   const id = typeof params?.id === "string" ? params.id : undefined;
 
   const webhookRepository = WebhookRepository.getInstance();
   const webhook = await webhookRepository.findByWebhookId(id);
 
+  // Ownership check: align with PBAC middleware in webhook/util.ts
+  if (webhook.teamId) {
+    const permissionService = new PermissionCheckService();
+    const hasPermission = await permissionService.checkPermission({
+      userId: session.user.id,
+      teamId: webhook.teamId,
+      permission: "webhook.read",
+      fallbackRoles: [MembershipRole.ADMIN, MembershipRole.OWNER, MembershipRole.MEMBER],
+    });
+    if (!hasPermission) {
+      notFound();
+    }
+  } else if (webhook.userId !== session.user.id) {
+    notFound();
+  }
+
   return <EditWebhookView webhook={webhook} />;
 };
 
