#312 Check dashboard owner before update

TheHive-Project · Oct 19, 2017 · 5f2a14c · 5f2a14c
1 parent 75ed248
commit 5f2a14c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/thehive-backend/app/controllers/DashboardCtrl.scala b/thehive-backend/app/controllers/DashboardCtrl.scala
@@ -2,7 +2,7 @@ package controllers
 
 import javax.inject.{ Inject, Singleton }
 
-import scala.concurrent.ExecutionContext
+import scala.concurrent.{ ExecutionContext, Future }
 
 import play.api.Logger
 import play.api.http.Status
@@ -16,7 +16,7 @@ import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, R
 import org.elastic4play.models.JsonFormat.baseModelEntityWrites
 import org.elastic4play.services.JsonFormat.{ aggReads, queryReads }
 import org.elastic4play.services._
-import org.elastic4play.{ BadRequestError, Timed }
+import org.elastic4play.{ AuthorizationError, BadRequestError, Timed }
 
 @Singleton
 class DashboardCtrl @Inject() (
@@ -46,9 +46,13 @@ class DashboardCtrl @Inject() (
 
   @Timed
   def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
-    dashboardSrv.update(id, request.body).map { dashboard ⇒
-      renderer.toOutput(OK, dashboard)
-    }
+    for {
+      dashboard <- dashboardSrv.get(id)
+      updatedDashboard <- if (dashboard.createdBy == request.authContext.userId)
+        dashboardSrv.update(dashboard, request.body)
+      else
+        Future.failed(AuthorizationError("You can't update this dashboard, you are not the owner"))
+    } yield renderer.toOutput(OK, updatedDashboard)
   }
 
   @Timed

diff --git a/thehive-backend/app/services/DashboardSrv.scala b/thehive-backend/app/services/DashboardSrv.scala
@@ -36,8 +36,8 @@ class DashboardSrv @Inject() (
   def update(id: String, fields: Fields)(implicit authContext: AuthContext): Future[Dashboard] =
     updateSrv[DashboardModel, Dashboard](dashboardModel, id, fields)
 
-  def update(caze: Dashboard, fields: Fields)(implicit authContext: AuthContext): Future[Dashboard] =
-    updateSrv(caze, fields)
+  def update(dashboard: Dashboard, fields: Fields)(implicit authContext: AuthContext): Future[Dashboard] =
+    updateSrv(dashboard, fields)
 
   def delete(id: String)(implicit Context: AuthContext): Future[Dashboard] =
     deleteSrv[DashboardModel, Dashboard](dashboardModel, id)