Open Jeremy-Gaillard opened 4 years ago
@Jeremy-Gaillard, same issue for me on v8.8.1. Here's a hook that will block everyone except admins from reading the webhooks endpoint:
<?php
//https://docs.directus.io/extensions/hooks.html#creating-hooks
return [
'filters' => [
'item.read.directus_webhooks' => function (\Directus\Hook\Payload $payload) {
$container = \Directus\Application\Application::getInstance()->getContainer();
$acl = $container->get('acl');
//user is an admin if they have role id 1
$userIsAdmin = in_array(1, $acl->getRolesId());
if (!$userIsAdmin) {
throw new \Directus\Exception\UnauthorizedException('User not authorized to view this endpoint (protected by hook).');
}
return $payload;
},
]
];
Directus version: 8.6.2
Anyone can access the webhooks' description by querying https://{baseurl}/{project}/webhooks, regardless of the public role's permission settings.