#1264 Move permission check from service to controller

TheHive-Project · Mar 11, 2021 · 17662f6 · 17662f6
1 parent 6066a58
commit 17662f6
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/thehive/app/org/thp/thehive/controllers/v0/CaseCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/CaseCtrl.scala
@@ -3,10 +3,10 @@ package org.thp.thehive.controllers.v0
 import org.apache.tinkerpop.gremlin.process.traversal.P
 import org.thp.scalligraph._
 import org.thp.scalligraph.controllers.{Entrypoint, FPathElem, FPathEmpty, FieldsParser}
-import org.thp.scalligraph.models.{Database, Entity, UMapping}
+import org.thp.scalligraph.models.{Database, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Graph, IteratorOutput, Traversal}
+import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.{InputCase, InputTask}
 import org.thp.thehive.dto.v1.InputCustomFieldValue
@@ -17,14 +17,13 @@ import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.CustomFieldOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.libs.json._
 import play.api.mvc.{Action, AnyContent, Results}
 
 import javax.inject.{Inject, Named, Singleton}
-import scala.util.{Failure, Success, Try}
+import scala.util.{Failure, Success}
 
 @Singleton
 class CaseCtrl @Inject() (

diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
@@ -137,6 +137,12 @@ class CaseCtrl @Inject() (
     entrypoint("delete a custom field")
       .authPermittedTransaction(db, Permissions.manageCase) { implicit request => implicit graph =>
         for {
+          _ <-
+            caseSrv
+              .caseCustomFieldSrv
+              .get(EntityIdOrName(cfId))
+              .filter(_.outV.v[Case].can(Permissions.manageCase))
+              .existsOrFail
           _ <- caseSrv.deleteCustomField(EntityIdOrName(cfId))
         } yield Results.NoContent
       }

diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -265,7 +265,7 @@ class CaseSrv @Inject() (
     Try(
       caseCustomFieldSrv
         .get(cfIdOrName)
-        .filter(_.outV.v[Case].can(Permissions.manageCase))
+        .filter(_.outV.v[Case])
         .remove()
     )