#1732 Add API for observable update in an alert

TheHive-Project · Jan 7, 2021 · 458de0e · 458de0e
1 parent 9f1775d
commit 458de0e
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 8 deletions.
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
@@ -223,7 +223,7 @@ class ObservableCtrl @Inject() (
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("observable")
         observableSrv
           .update(
-            _.get(EntityIdOrName(observableId)).can(Permissions.manageObservable),
+            _.get(EntityIdOrName(observableId)).canManage,
             propertyUpdaters
           )
           .flatMap {
@@ -259,7 +259,7 @@ class ObservableCtrl @Inject() (
         ids
           .toTry { id =>
             observableSrv
-              .update(_.get(EntityIdOrName(id)).can(Permissions.manageObservable), properties)
+              .update(_.get(EntityIdOrName(id)).canManage, properties)
           }
           .map(_ => Results.NoContent)
       }

diff --git a/thehive/app/org/thp/thehive/controllers/v0/Router.scala b/thehive/app/org/thp/thehive/controllers/v0/Router.scala
@@ -78,13 +78,15 @@ class Router @Inject() (
     //    case POST(p"/case/:caseId/artifact/_search")    => observableCtrl.findInCase(caseId)
     case POST(p"/case/artifact/_stats")               => observableCtrl.stats
     case POST(p"/case/$caseId/artifact")              => observableCtrl.createInCase(caseId)   // Audit ok
-    case POST(p"/alert/$alertId/artifact")            => observableCtrl.createInAlert(alertId) // Audit ok
     case GET(p"/case/artifact/$observableId")         => observableCtrl.get(observableId)
     case DELETE(p"/case/artifact/$observableId")      => observableCtrl.delete(observableId)   // Audit ok
     case PATCH(p"/case/artifact/_bulk")               => observableCtrl.bulkUpdate             // Audit ok
     case PATCH(p"/case/artifact/$observableId")       => observableCtrl.update(observableId)   // Audit ok
     case GET(p"/case/artifact/$observableId/similar") => observableCtrl.findSimilar(observableId)
     case POST(p"/case/artifact/$observableId/shares") => shareCtrl.shareObservable(observableId)
+    case POST(p"/alert/$alertId/artifact")            => observableCtrl.createInAlert(alertId) // Audit ok
+    case PATCH(p"/alert/artifact/$observableId")      => observableCtrl.update(observableId)   // Audit ok
+    case PATCH(p"/alert/artifact/_bulk")              => observableCtrl.bulkUpdate             // Audit ok
 
     case GET(p"/case")                  => caseCtrl.search
     case POST(p"/case")                 => caseCtrl.create         // Audit ok

diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
@@ -259,10 +259,7 @@ class ObservableCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("observable")
         observableSrv
-          .update(
-            _.get(EntityIdOrName(observableId)).can(Permissions.manageObservable),
-            propertyUpdaters
-          )
+          .update(_.get(EntityIdOrName(observableId)).canManage, propertyUpdaters)
           .map(_ => Results.NoContent)
       }
 
@@ -276,7 +273,7 @@ class ObservableCtrl @Inject() (
         ids
           .toTry { id =>
             observableSrv
-              .update(_.get(EntityIdOrName(id)).can(Permissions.manageObservable), properties)
+              .update(_.get(EntityIdOrName(id)).canManage, properties)
           }
           .map(_ => Results.NoContent)
       }

diff --git a/thehive/app/org/thp/thehive/services/ObservableSrv.scala b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
@@ -15,6 +15,7 @@ import org.thp.scalligraph.traversal.{Converter, StepLabel, Traversal}
 import org.thp.scalligraph.utils.Hash
 import org.thp.scalligraph.{EntityIdOrName, RichSeq}
 import org.thp.thehive.models._
+import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
@@ -229,6 +230,12 @@ object ObservableOps {
       else
         traversal.limit(0)
 
+    def canManage(implicit authContext: AuthContext): Traversal.V[Observable] =
+      if (authContext.isPermitted(Permissions.manageAlert))
+        traversal.filter(_.or(_.alert.visible, _.can(Permissions.manageObservable)))
+      else
+        can(Permissions.manageObservable)
+
     def userPermissions(implicit authContext: AuthContext): Traversal[Set[Permission], Vertex, Converter[Set[Permission], Vertex]] =
       traversal
         .share(authContext.organisation)