From bc3252b1f616fa9fd5866bf528de85030afec0b4 Mon Sep 17 00:00:00 2001
From: Emmy D'Anello <emmy@luemy.eu>
Date: Mon, 17 Feb 2025 13:42:46 +0100
Subject: [PATCH] Don't trust Webhook data

---
 main.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/main.py b/main.py
index 15d1c18..fac28bb 100755
--- a/main.py
+++ b/main.py
@@ -132,12 +132,15 @@ def webhook_receiver():
         abort(400)
     triggercode = data['triggercode']
     obj = data['object']
+    dolibarr_client = Dolibarrpy(url=config.DOLIBARR_API_BASE, token=config.DOLIBARR_API_TOKEN, timeout=16, debug=config.DOLIBARR_API_DEBUG)
     ldap_server = Server(config.LDAP_HOST, config.LDAP_PORT, get_info=ALL)
     if triggercode.startswith('USER_'):
         with Connection(ldap_server, config.LDAP_BIND_USER, config.LDAP_BIND_PASSWORD) as ldap_conn:
-            manage_user_extra_fields(ldap_conn, obj)
+            dolibarr_user = dolibarr_client.get_user_by_uid(obj['id'])
+            manage_user_extra_fields(ldap_conn, dolibarr_user)
     elif triggercode.startswith('USERGROUP_'):
         with Connection(ldap_server, config.LDAP_BIND_USER, config.LDAP_BIND_PASSWORD) as ldap_conn:
+            dolibarr_group = dolibarr_client.call_get_api(f"users/groups/{obj['id']}")
             manage_group_extra_fields(ldap_conn, obj)
     else:
         abort(400)