#89 Let an user display and change their API key

TheHive-Project · Apr 13, 2018 · 7823ecb · 7823ecb
1 parent 714b131
commit 7823ecb
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/app/org/thp/cortex/controllers/AnalyzerCtrl.scala b/app/org/thp/cortex/controllers/AnalyzerCtrl.scala
@@ -4,7 +4,7 @@ import javax.inject.{ Inject, Singleton }
 
 import scala.concurrent.{ ExecutionContext, Future }
 
-import play.api.libs.json.{ JsNull, JsObject, Json }
+import play.api.libs.json.{ JsObject, Json }
 import play.api.mvc.{ AbstractController, Action, AnyContent, ControllerComponents }
 
 import akka.stream.Materializer

diff --git a/app/org/thp/cortex/controllers/MispCtrl.scala b/app/org/thp/cortex/controllers/MispCtrl.scala
@@ -2,11 +2,10 @@ package org.thp.cortex.controllers
 
 import javax.inject.Inject
 import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer }
-import org.elastic4play.services.QueryDSL
 import org.thp.cortex.models.Roles
 import org.thp.cortex.services.{ AnalyzerSrv, MispSrv }
 import play.api.Logger
-import play.api.libs.json.{ JsObject, JsValue, Json }
+import play.api.libs.json.{ JsObject, JsValue }
 import play.api.mvc._
 
 import scala.concurrent.{ ExecutionContext, Future }

diff --git a/app/org/thp/cortex/controllers/UserCtrl.scala b/app/org/thp/cortex/controllers/UserCtrl.scala
@@ -210,9 +210,11 @@ class UserCtrl @Inject() (
   }
 
   @Timed
-  def getKey(userId: String): Action[AnyContent] = authenticated(Roles.orgAdmin, Roles.superAdmin).async { implicit request ⇒
+  def getKey(userId: String): Action[AnyContent] = authenticated().async { implicit request ⇒
     for {
       _ ← checkUserOrganization(userId)
+      _ ← if (userId == request.userId || request.roles.contains(Roles.orgAdmin) || request.roles.contains(Roles.superAdmin)) Future.successful(())
+      else Future.failed(AuthorizationError("You are not authorized to perform this operation"))
       key ← authSrv.getKey(userId)
     } yield Ok(key)
   }
@@ -226,9 +228,11 @@ class UserCtrl @Inject() (
   }
 
   @Timed
-  def renewKey(userId: String): Action[AnyContent] = authenticated(Roles.orgAdmin, Roles.superAdmin).async { implicit request ⇒
+  def renewKey(userId: String): Action[AnyContent] = authenticated().async { implicit request ⇒
     for {
       _ ← checkUserOrganization(userId)
+      _ ← if (userId == request.userId || request.roles.contains(Roles.orgAdmin) || request.roles.contains(Roles.superAdmin)) Future.successful(())
+      else Future.failed(AuthorizationError("You are not authorized to perform this operation"))
       key ← authSrv.renewKey(userId)
     } yield Ok(key)
   }