basecamp · jeremy · Jan 25, 2026 · Jan 25, 2026
diff --git a/app/controllers/webhooks/activations_controller.rb b/app/controllers/webhooks/activations_controller.rb
@@ -1,8 +1,10 @@
 class Webhooks::ActivationsController < ApplicationController
+  include BoardScoped
+
   before_action :ensure_admin
 
   def create
-    webhook = Current.account.webhooks.find(params[:webhook_id])
+    webhook = @board.webhooks.find(params[:webhook_id])
     webhook.activate
 
     redirect_to webhook

diff --git a/test/controllers/webhooks/activations_controller_test.rb b/test/controllers/webhooks/activations_controller_test.rb
@@ -16,4 +16,20 @@ class Webhooks::ActivationsControllerTest < ActionDispatch::IntegrationTest
 
     assert_redirected_to board_webhook_path(webhook.board, webhook)
   end
+
+  test "cannot activate webhook on board without access" do
+    logout_and_sign_in_as :jason
+    webhook = webhooks(:inactive)  # on private board, jason has no access
+
+    post board_webhook_activation_path(webhook.board, webhook)
+    assert_response :not_found
+  end
+
+  test "non-admin cannot activate webhook" do
+    logout_and_sign_in_as :jz  # member with writebook access, but not admin
+    webhook = webhooks(:active)  # on writebook board
+
+    post board_webhook_activation_path(webhook.board, webhook)
+    assert_response :forbidden
+  end
 end
diff --git a/test/controllers/webhooks_controller_test.rb b/test/controllers/webhooks_controller_test.rb
@@ -121,4 +121,13 @@ class WebhooksControllerTest < ActionDispatch::IntegrationTest
 
     assert_redirected_to board_webhooks_path(webhook.board)
   end
+
+  test "cannot access webhooks on board without access" do
+    logout_and_sign_in_as :jason
+
+    webhook = webhooks(:inactive)  # on private board, jason has no access
+
+    get board_webhooks_path(webhook.board)
+    assert_response :not_found
+  end
 end