(refs #2184) Fix authorization for group web hook configuration page

src/main/scala/gitbucket/core/controller/AccountController.scala

@@ -421,7 +421,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
     redirect(s"/${userName}/_application")
   })
 
-  get("/:userName/_hooks")(oneselfOnly {
+  get("/:userName/_hooks")(managersOnly {
     val userName = params("userName")
     getAccountByUserName(userName).map { account =>
       gitbucket.core.account.html.hooks(account, getAccountWebHooks(account.userName), flash.get("info"))
@@ -431,7 +431,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
   /**
    * Display the account web hook edit page.
    */
-  get("/:userName/_hooks/new")(oneselfOnly {
+  get("/:userName/_hooks/new")(managersOnly {
     val userName = params("userName")
     getAccountByUserName(userName).map { account =>
       val webhook = AccountWebHook(userName, "", WebHookContentType.FORM, None)
@@ -442,7 +442,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
   /**
    * Add the account web hook URL.
    */
-  post("/:userName/_hooks/new", accountWebHookForm(false))(oneselfOnly { form =>
+  post("/:userName/_hooks/new", accountWebHookForm(false))(managersOnly { form =>
     val userName = params("userName")
     addAccountWebHook(userName, form.url, form.events, form.ctype, form.token)
     flash += "info" -> s"Webhook ${form.url} created"
@@ -452,7 +452,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
   /**
    * Delete the account web hook URL.
    */
-  get("/:userName/_hooks/delete")(oneselfOnly {
+  get("/:userName/_hooks/delete")(managersOnly {
     val userName = params("userName")
     deleteAccountWebHook(userName, params("url"))
     flash += "info" -> s"Webhook ${params("url")} deleted"
@@ -462,7 +462,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
   /**
    * Display the account web hook edit page.
    */
-  get("/:userName/_hooks/edit")(oneselfOnly {
+  get("/:userName/_hooks/edit")(managersOnly {
     val userName = params("userName")
     getAccountByUserName(userName).flatMap { account =>
       getAccountWebHook(userName, params("url")).map {
@@ -475,7 +475,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
   /**
    * Update account web hook settings.
    */
-  post("/:userName/_hooks/edit", accountWebHookForm(true))(oneselfOnly { form =>
+  post("/:userName/_hooks/edit", accountWebHookForm(true))(managersOnly { form =>
     val userName = params("userName")
     updateAccountWebHook(userName, form.url, form.events, form.ctype, form.token)
     flash += "info" -> s"webhook ${form.url} updated"
@@ -485,7 +485,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
   /**
    * Send the test request to registered account web hook URLs.
    */
-  ajaxPost("/:userName/_hooks/test")(oneselfOnly {
+  ajaxPost("/:userName/_hooks/test")(managersOnly {
     // TODO Is it possible to merge with [[RepositorySettingsController.ajaxPost]]?
     import scala.concurrent.duration._
     import scala.concurrent._

src/main/scala/gitbucket/core/util/Authenticator.scala

@@ -161,6 +161,8 @@ trait GroupManagerAuthenticator { self: ControllerBase with AccountService =>
 
   private def authenticate(action: => Any) = {
     context.loginAccount match {
+      case Some(x) if x.isAdmin                      => action
+      case Some(x) if x.userName == request.paths(0) => action
       case Some(x) if (getGroupMembers(request.paths(0)).exists { member =>
             member.userName == x.userName && member.isManager
           }) =>