#1396 Prevent user self lock

thehive/app/org/thp/thehive/controllers/v0/Properties.scala

@@ -11,7 +11,7 @@ import org.thp.scalligraph.query.{NoValue, PublicProperty, PublicPropertyListBui
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.steps.IdMapping
 import org.thp.scalligraph.steps.StepsOps._
-import org.thp.scalligraph.{AttributeCheckingError, BadRequestError, InvalidFormatAttributeError, RichSeq}
+import org.thp.scalligraph.{AttributeCheckingError, AuthorizationError, BadRequestError, InvalidFormatAttributeError, RichSeq}
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.InputTask
 import org.thp.thehive.models.{AlertCase, CaseStatus, Permissions, TaskStatus}
@@ -436,19 +436,19 @@ class Properties @Inject() (
       })
       .property("status", UniMapping.string)(
         _.select(_.choose(predicate = _.locked.is(P.eq(true)), onTrue = _.constant("Locked"), onFalse = _.constant("Ok")))
-          .custom { (_, value, vertex, db, graph, authContext) =>
+          .custom { (_, value, vertex, _, graph, authContext) =>
             userSrv
               .current(graph, authContext)
               .organisations(Permissions.manageUser)
               .users
               .get(vertex)
-              .existsOrFail()
+              .orFail(AuthorizationError("Operation not permitted"))
               .flatMap {
-                case _ if value == "Ok" =>
-                  db.setProperty(vertex, "locked", false, UniMapping.boolean)
+                case user if value == "Ok" =>
+                  userSrv.unlock(user)(graph, authContext)
                   Success(Json.obj("status" -> value))
-                case _ if value == "Locked" =>
-                  db.setProperty(vertex, "locked", true, UniMapping.boolean)
+                case user if value == "Locked" =>
+                  userSrv.lock(user)(graph, authContext)
                   Success(Json.obj("status" -> value))
                 case _ => Failure(InvalidFormatAttributeError("status", "UserStatus", Set("Ok", "Locked"), FString(value)))
               }

thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala

@@ -159,7 +159,7 @@ class UserCtrl @Inject() (
                 for {
                   updateName <- maybeName.map(name => userSrv.get(user).update("name" -> name).map(_ => Json.obj("name" -> name))).flip
                   updateLocked <- maybeLocked
-                    .map(locked => requireAdmin(userSrv.get(user).update("locked" -> locked).map(_ => Json.obj("locked" -> locked))))
+                    .map(locked => requireAdmin(if (locked) userSrv.lock(user) else userSrv.unlock(user)).map(_ => Json.obj("locked" -> locked)))
                     .flip
                   updateProfile <- maybeProfile.map { profileName =>
                     requireAdmin {

thehive/app/org/thp/thehive/services/UserSrv.scala

@@ -14,7 +14,7 @@ import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.steps.StepsOps._
 import org.thp.scalligraph.steps.{Traversal, TraversalLike, VertexSteps}
-import org.thp.scalligraph.{BadRequestError, EntitySteps, RichOptionTry}
+import org.thp.scalligraph.{AuthorizationError, BadRequestError, EntitySteps, RichOptionTry}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import play.api.Configuration
@@ -101,9 +101,18 @@ class UserSrv @Inject() (
   override def exists(e: User)(implicit graph: Graph): Boolean = initSteps.getByName(e.login).exists()
 
   def lock(user: User with Entity)(implicit graph: Graph, authContext: AuthContext): Try[User with Entity] =
+    if (user.login == authContext.userId)
+      Failure(AuthorizationError("You cannot lock yourself"))
+    else
+      for {
+        updatedUser <- get(user).updateOne("locked" -> true)
+        _           <- auditSrv.user.update(updatedUser, Json.obj("locked" -> true))
+      } yield updatedUser
+
+  def unlock(user: User with Entity)(implicit graph: Graph, authContext: AuthContext): Try[User with Entity] =
     for {
-      updatedUser <- get(user).updateOne("locked" -> true)
-      _           <- auditSrv.user.update(updatedUser, Json.obj("locked" -> true))
+      updatedUser <- get(user).updateOne("locked" -> false)
+      _           <- auditSrv.user.update(updatedUser, Json.obj("locked" -> false))
     } yield updatedUser
 
   def current(implicit graph: Graph, authContext: AuthContext): UserSteps = get(authContext.userId)