Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A locked user can use the API to create / delete / list cases (and more) #251

Closed
0xswitch opened this issue Jul 5, 2017 · 1 comment
Closed

A locked user can use the API to create / delete / list cases (and more) #251

0xswitch opened this issue Jul 5, 2017 · 1 comment
Assignees
@To-om
Labels
bug
Milestone
2.12.0

Comments

@0xswitch
Copy link

0xswitch commented Jul 5, 2017
edited
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) CentOS,
OS version (client) CentOS, Seven
TheHive version / git hash 2.11.3
Package Type Binary

Problem Description

Locked user can still use the API. Even if an user is locked by the admin he still can uses the API to create an alert, a case, delete a case, get the list of the cases (certainly other actions are possible but I only tried these cases)

Steps to Reproduce

  1. Go to Admin Panel > Lock the user account
  2. Try to authenticate with the locked user (to be sur he is locked)
  3. If the user if successfully locked try to use his credentials to call the api.
    -> curl -XDELETE -u userlocked:userlocked https://instance:port/api/case/:caseid/
  4. Connect back to The Hive with a valid user and check the case which should be delected
  5. The case is deleted by a locked user

Complementary information

I guess this behaviour is unwanted but may be you are already aware of this !

Thank you for your awesome solution !
@To-om To-om self-assigned this Jul 5, 2017
@To-om To-om added the bug label Jul 5, 2017
@To-om To-om added this to the 2.12.0 milestone Jul 5, 2017
To-om added a commit that referenced this issue Jul 5, 2017
@To-om
#251 Check user status before creating authContext
21a4d4d
@To-om
Copy link
Contributor

To-om commented Jul 5, 2017

Good spot, thanks.

@To-om To-om closed this as completed Jul 5, 2017
To-om added a commit that referenced this issue Jul 5, 2017
@To-om
#251 Check user status before creating authContext
ff56992
nadouani pushed a commit that referenced this issue Jul 24, 2017
@To-om @nadouani
#251 Check user status before creating authContext
b932a31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
2.12.0
Development

No branches or pull requests
2 participants
@0xswitch @To-om