Fix IDOR in webhook activation endpoint (#2431)

The webhook activation controller was using account-scoped lookup
instead of board-scoped lookup, allowing users to reactivate webhooks
on boards they don't have access to.

This was an oversight when board-scoping was added to the main webhooks
controller - the activations controller was missed in that update.

The fix adds the BoardScoped concern to properly restrict webhook
activation to boards the user has explicit access to.

Author: jeremy

app/controllers/webhooks/activations_controller.rb

@@ -1,8 +1,10 @@
 class Webhooks::ActivationsController < ApplicationController
+  include BoardScoped
+
   before_action :ensure_admin
 
   def create
-    webhook = Current.account.webhooks.find(params[:webhook_id])
+    webhook = @board.webhooks.find(params[:webhook_id])
     webhook.activate
 
     redirect_to webhook

test/controllers/webhooks/activations_controller_test.rb

@@ -16,4 +16,20 @@ class Webhooks::ActivationsControllerTest < ActionDispatch::IntegrationTest
 
     assert_redirected_to board_webhook_path(webhook.board, webhook)
   end
+
+  test "cannot activate webhook on board without access" do
+    logout_and_sign_in_as :jason
+    webhook = webhooks(:inactive)  # on private board, jason has no access
+
+    post board_webhook_activation_path(webhook.board, webhook)
+    assert_response :not_found
+  end
+
+  test "non-admin cannot activate webhook" do
+    logout_and_sign_in_as :jz  # member with writebook access, but not admin
+    webhook = webhooks(:active)  # on writebook board
+
+    post board_webhook_activation_path(webhook.board, webhook)
+    assert_response :forbidden
+  end
 end

test/controllers/webhooks_controller_test.rb

@@ -121,4 +121,13 @@ class WebhooksControllerTest < ActionDispatch::IntegrationTest
 
     assert_redirected_to board_webhooks_path(webhook.board)
   end
+
+  test "cannot access webhooks on board without access" do
+    logout_and_sign_in_as :jason
+
+    webhook = webhooks(:inactive)  # on private board, jason has no access
+
+    get board_webhooks_path(webhook.board)
+    assert_response :not_found
+  end
 end