1 files changed, 20 insertions, 4 deletions

diff --git a/app/services/web_hooks/destroy_service.rb b/app/services/web_hooks/destroy_service.rb
index 54c6c7ea71b..dbd164ab20e 100644
--- a/app/services/web_hooks/destroy_service.rb
+++ b/app/services/web_hooks/destroy_service.rb
@@ -1,25 +1,41 @@
 # frozen_string_literal: true
 
 module WebHooks
+  # Destroy a hook, and schedule the logs for deletion.
   class DestroyService
+    include Services::ReturnServiceResponses
+
     attr_accessor :current_user
 
+    DENIED = 'Insufficient permissions'
+
     def initialize(current_user)
       @current_user = current_user
     end
 
-    # Destroy the hook immediately, schedule the logs for deletion
     def execute(web_hook)
+      return error(DENIED, 401) unless authorized?(web_hook)
+
       hook_id = web_hook.id
 
       if web_hook.destroy
         WebHooks::LogDestroyWorker.perform_async({ 'hook_id' => hook_id })
-        Gitlab::AppLogger.info("User #{current_user&.id} scheduled a deletion of logs for hook ID #{hook_id}")
+        Gitlab::AppLogger.info(log_message(web_hook))
 
-        ServiceResponse.success(payload: { async: false })
+        success({ async: false })
       else
-        ServiceResponse.error(message: "Unable to destroy #{web_hook.model_name.human}")
+        error("Unable to destroy #{web_hook.model_name.human}", 500)
       end
     end
+
+    private
+
+    def log_message(hook)
+      "User #{current_user&.id} scheduled a deletion of logs for hook ID #{hook.id}"
+    end
+
+    def authorized?(web_hook)
+      Ability.allowed?(current_user, :destroy_web_hook, web_hook)
+    end
   end
 end