Updating webhook via API removes secret token value
Summary
When creating a project hook you can optionally provide a token
parameter and value to define a secret token for the webhook.
If you then edit that hook via the API, the secret token is erased, even if no token
parameter was provided. This means you must now provide a token
parameter and value each time you edit a webhook, or you risk losing that value entirely.
This was reported by a Premium customer who states this only recently started occurring. I can confirm that this does not occur on a self-managed installation running 15.2.0.
Steps to reproduce
- In a test project of your choosing, add a project hook via the API. Be sure to provide a
token
parameter and value. - Navigate to the webhook via project settings >> webhooks. Click the "edit" button on the webhook you created, and observe the populated "Secret token" field.
- Note the webhook ID from the URL and use this value to edit the webhook via the API. Do not provide the
token
parameter. - Navigate back to the webhook and note the "Secret token" field has been stripped.
What is the current bug behavior?
The "secret token" value is removed from webhooks when updated via the API.
What is the expected correct behavior?
The "secret token" value is not removed from the webhook unless you specifically include an empty token
parameter value you in your request.
Output of checks
This bug happens on GitLab.com