From 67214986ccd6b35776dd5bbd8b1d84b3e91e6c6e Mon Sep 17 00:00:00 2001
From: Nabil Adouani <nabil.adouani@gmail.com>
Date: Wed, 8 Jul 2020 13:45:28 +0200
Subject: [PATCH] #1423 Add permission check in case and observable bulk
 actions

---
 .../scripts/controllers/case/CaseListCtrl.js  | 13 ++-
 .../controllers/case/CaseObservablesCtrl.js   | 43 +++-------
 .../app/views/partials/case/case.export.html  | 79 -------------------
 .../app/views/partials/case/case.list.html    | 15 ++--
 .../views/partials/case/case.observables.html |  6 --
 .../observables/list/observables.html         |  2 +-
 .../observables/list/run-analyzers.html       | 30 -------
 7 files changed, 28 insertions(+), 160 deletions(-)
 delete mode 100644 frontend/app/views/partials/case/case.export.html
 delete mode 100644 frontend/app/views/partials/observables/list/run-analyzers.html

diff --git a/frontend/app/scripts/controllers/case/CaseListCtrl.js b/frontend/app/scripts/controllers/case/CaseListCtrl.js
index 497187bb59..3eef804ab9 100644
--- a/frontend/app/scripts/controllers/case/CaseListCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseListCtrl.js
@@ -3,7 +3,7 @@
     angular.module('theHiveControllers')
         .controller('CaseListCtrl', CaseListCtrl);
 
-    function CaseListCtrl($scope, $q, $state, $window, $uibModal, FilteringSrv, StreamStatSrv, PaginatedQuerySrv, EntitySrv, CaseSrv, UserSrv, AuthenticationSrv, CaseResolutionStatus, NotificationSrv, Severity, Tlp, CortexSrv) {
+    function CaseListCtrl($scope, $q, $state, $window, $uibModal, FilteringSrv, SecuritySrv, StreamStatSrv, PaginatedQuerySrv, EntitySrv, CaseSrv, UserSrv, AuthenticationSrv, CaseResolutionStatus, NotificationSrv, Severity, Tlp, CortexSrv) {
         var self = this;
 
         this.openEntity = EntitySrv.open;
@@ -72,7 +72,7 @@
                 operations: [
                     {'_name': 'listCase'}
                 ],
-                extraData: ["observableStats", "taskStats", "isOwner", "shareCount"],
+                extraData: ["observableStats", "taskStats", "isOwner", "shareCount", "permissions"],
                 onUpdate: function() {
                     self.resetSelection();
                 }
@@ -102,12 +102,17 @@
 
         self.selectAll = function() {
             var selected = self.menu.selectAll;
+
             _.each(self.list.values, function(item) {
-                item.selected = selected;
+                if(SecuritySrv.checkPermissions(['manageCase'], item.extraData.permissions)) {
+                    item.selected = selected;
+                }
             });
 
             if (selected) {
-                self.selection = self.list.values;
+                self.selection = _.filter(self.list.values, function(item) {
+                    return !!item.selected;
+                });
             } else {
                 self.selection = [];
             }
diff --git a/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js b/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js
index d22769879f..478754f156 100644
--- a/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js
@@ -1,7 +1,7 @@
 (function () {
     'use strict';
     angular.module('theHiveControllers').controller('CaseObservablesCtrl',
-        function ($scope, $q, $state, $stateParams, $filter, $uibModal, ModalUtilsSrv, FilteringSrv, StreamSrv, CaseTabsSrv, PaginatedQuerySrv, CaseArtifactSrv, NotificationSrv, AnalyzerSrv, CortexSrv, VersionSrv) {
+        function ($scope, $q, $state, $stateParams, $filter, $uibModal, SecuritySrv, ModalUtilsSrv, FilteringSrv, StreamSrv, CaseTabsSrv, PaginatedQuerySrv, CaseArtifactSrv, NotificationSrv, AnalyzerSrv, CortexSrv, VersionSrv) {
 
             CaseTabsSrv.activateTab($state.current.data.tab);
 
@@ -33,7 +33,6 @@
                     .then(function() {
                         $scope.load();
 
-                        $scope.initSelection($scope.selection);
                         $scope.initAnalyzersList();
 
                         // Add a listener to refresh observables list on job finish
@@ -74,9 +73,9 @@
                     sort: $scope.filtering.context.sort,
                     pageSize: $scope.filtering.context.pageSize,
                     filter: $scope.filtering.buildQuery(),
-                    extraData: ['seen'],
+                    extraData: ['seen', 'permissions'],
                     operations: [
-                        {'_name': 'getCase', "idOrName": $scope.caseId},
+                        {'_name': 'getCase', 'idOrName': $scope.caseId},
                         {'_name': 'observables'}
                     ],
                     onUpdate: function() {
@@ -171,26 +170,11 @@
             //
             // init lists
             //
-            $scope.initSelection = function (selection) {
-                selection.all = false;
-                selection.list = {};
-                selection.Action = 'main';
-            };
-
             $scope.initAnalyzersList = function () {
                 if($scope.analysisEnabled) {
                     AnalyzerSrv.query()
                         .then(function (analyzers) {
                             $scope.analyzersList.analyzers = analyzers;
-                            $scope.analyzersList.active = {};
-                            $scope.analyzersList.datatypes = {};
-                            angular.forEach($scope.analyzersList.analyzers, function (analyzer) {
-                                $scope.analyzersList.active[analyzer.name] = false;
-                            });
-                            $scope.analyzersList.selected = {};
-                            angular.forEach($scope.analyzersList.analyzers, function (analyzer) {
-                                $scope.analyzersList.selected[analyzer.name] = false;
-                            });
                         });
                 }
             };
@@ -198,19 +182,20 @@
             // select all artifacts : add all artifacts in selection or delete selection
             $scope.selectAll = function () {
                 var selected = $scope.menu.selectAll;
+
                 _.each($scope.artifacts.values, function(item) {
-                    item.selected = selected;
+                    if(SecuritySrv.checkPermissions(['manageObservable'], item.extraData.permissions)) {
+                        item.selected = selected;
+                    }
                 });
 
                 if (selected) {
-                    $scope.selection.artifacts = $scope.artifacts.values;
+                    $scope.selection.artifacts = _.filter($scope.artifacts.values, function(item) {
+                        return !!item.selected;
+                    });
                 } else {
                     $scope.selection.artifacts = [];
-
-                    $scope.initAnalyzersList();
                 }
-
-
             };
 
             // select or unselect an artifact
@@ -222,8 +207,6 @@
                         return item._id === artifact._id;
                     });
                 }
-
-
             };
 
             // actions on artifacts
@@ -313,7 +296,6 @@
 
             $scope.hideExport = function() {
                 $scope.showExportPanel = false;
-                $scope.initSelection($scope.selection);
             };
 
             $scope.removeObservables = function () {
@@ -335,8 +317,6 @@
                 }).catch(function(/*err*/) {
                     //NotificationSrv.error('Observable deletion', response.data, response.status);
                 });
-
-                $scope.initSelection($scope.selection);
             };
 
             // run selected analyzers on selected artifacts
@@ -374,9 +354,6 @@
                     }, function() {
 
                     });
-
-                $scope.initAnalyzersList();
-                $scope.initSelection($scope.selection);
             };
 
             $scope.openArtifact = function (artifact) {
diff --git a/frontend/app/views/partials/case/case.export.html b/frontend/app/views/partials/case/case.export.html
deleted file mode 100644
index 21267a5e1b..0000000000
--- a/frontend/app/views/partials/case/case.export.html
+++ /dev/null
@@ -1,79 +0,0 @@
-<div class="row">
-    <div class="col-md-12 mv-s" ng-show="$vm.artifacts.total === 0">
-        <div class="empty-message">No records.</div>
-    </div>
-</div>
-
-<!-- list of artifacts-->
-<div class="row">
-    <div class="col-md-12" ng-show="$vm.artifacts.total > 0">
-
-        <psearch control="$vm.artifacts"></psearch>
-
-        <form class="form-inline">
-            <div class="form-group">
-                <label class="sr-only" for="exampleInputEmail3">Email address</label>
-                <input type="email" class="form-control" id="exampleInputEmail3" placeholder="Email">
-            </div>
-            <div class="form-group">
-                <label class="sr-only" for="exampleInputPassword3">Password</label>
-                <input type="password" class="form-control" id="exampleInputPassword3" placeholder="Password">
-            </div>
-            <div class="checkbox">
-                <label>
-              <input type="checkbox"> Remember me
-            </label>
-            </div>
-            <button type="submit" class="btn btn-default">Sign in</button>
-        </form>
-
-        <table class="table table-striped table-hover valigned">
-            <thead>
-                <tr>
-                    <th width="10" class="p-0"></th>
-                    <th width="20">
-                        <input type="checkbox" ng-change="selectAll()" ng-model="selection.all" ng-disabled="switchTEList"></input>
-                    </th>
-                    <th width="150">Type</th>
-                    <th>Data/Filename</th>
-                    <th width="300">Tags</th>
-                    <th width="150">MISP Category</th>
-                    <th width="150">MISP Type</th>
-                    <th width="20">&nbsp;</th>
-                </tr>
-            </thead>
-            <tbody>
-                <tr ng-repeat="artifact in $vm.artifacts.values">
-                    <td class="p-0 bg-tlp-{{artifact.tlp}} clickable" ng-click="filterByTlp(artifact.tlp)"></td>
-                    <td>
-                        <input type="checkbox" ng-change="selectArtifact(artifact)" ng-model="selection.list[artifact.id]">
-                    </td>
-                    <td>
-                        <a href="" ng-click="addFilterValue('dataType', artifact.dataType)"><span ng-bind="artifact.dataType"></span></a>
-                    </td>
-                    <td class="wrap clickable" ng-click="openArtifact(artifact)">{{(artifact.data | fang) || (artifact.attachment.name | fang)}}</td>
-                    <td>
-                    	<span ng-repeat="l in artifact.tags">
-                    		<span class="label label-primary mr-xxxs pointer" ng-click="addFilterValue('tags', l)">
-                    			<i class="glyphicon glyphicon-tag"></i> <span ng-bind="l"></span>
-                        	</span>
-                        </span>
-                    </td>
-                    <td>
-                        <em ng-if="!artifact.exportCategory">Not specified</em>
-                        <em ng-if="artifact.exportCategory">Not specified</em>
-                    </td>
-                    <td>
-                        <em ng-if="!artifact.exportType">Not specified</em>
-                        <em ng-if="artifact.exportType">Not specified</em>
-                    </td>
-                    <td>
-                        <i class="fa fa-check"></i>
-                        <i class="fa fa-exclamation-triangle"></i>
-                    </td>
-                </tr>
-            </tbody>
-        </table>
-        <psearch ng-if="!switchTEList" control="artifacts"></psearch>
-    </div>
-</div>
diff --git a/frontend/app/views/partials/case/case.list.html b/frontend/app/views/partials/case/case.list.html
index 0f6330b532..3581c70c20 100644
--- a/frontend/app/views/partials/case/case.list.html
+++ b/frontend/app/views/partials/case/case.list.html
@@ -38,10 +38,10 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseStats.
                         <table class="table table-striped case-list">
                             <thead>
                                 <tr>
+                                    <th style="width: 10px;" class="p-0"></th>
                                     <th width="20px" if-permission="manageCase">
                                         <input type="checkbox" ng-model="$vm.menu.selectAll" ng-change="$vm.selectAll()">
                                     </th>
-                                    <th style="width: 10px;" class="p-0"></th>
                                     <th>Title</th>
                                     <th style="width: 70px;"></th>
                                     <th style="width: 80px;text-align:center;">Severity</th>
@@ -49,16 +49,17 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseStats.
                                     <th style="width: 100px;">Observables</th>
                                     <th style="width: 60px;">Assignee</th>
                                     <th style="width: 120px;">Date</th>
-                                    <th style="width: 40px;" if-permission="manageTask" allowed="{{userPermissions}}" ng-if="appConfig.connectors.cortex.enabled">Actions</th>
+                                    <th style="width: 40px;" ng-if="appConfig.connectors.cortex.enabled">Actions</th>
                                 </tr>
                             </thead>
 
                             <tbody>
                                 <tr ng-class="{true:'tr-warning'}[currentCase.flag]" ng-repeat="currentCase in $vm.list.values">
-                                    <td if-permission="manageCase">
-                                        <input type="checkbox" ng-model="currentCase.selected" ng-change="$vm.select(currentCase)">
-                                    </td>
                                     <td class="p-0 bg-tlp-{{currentCase.tlp}} clickable" ng-click="$vm.addFilterValue('tlp', currentCase.tlp)"></td>
+                                    <td>
+                                        <input if-permission="manageCase" allowed="{{currentCase.extraData.permissions.join(',')}}"
+                                            type="checkbox" ng-model="currentCase.selected" ng-change="$vm.select(currentCase)">
+                                    </td>
                                     <td>
                                         <div class="case-title wrap">
                                             <span class="mr-xxs text-primary" ng-if="!!!currentCase.extraData.isOwner"><i class="fa fa-share-square"
@@ -126,9 +127,9 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseStats.
                                             <case-duration start="currentCase.startDate" end="currentCase.endDate" icon="fa-clock-o"></case-duration>
                                         </div>
                                     </td>
-                                    <td if-permission="manageTask" allowed="{{userPermissions}}" ng-if="appConfig.connectors.cortex.enabled">
+                                    <td>
 
-                                        <span class="ml-xs" uib-dropdown>
+                                        <span class="ml-xs" uib-dropdown ng-if="appConfig.connectors.cortex.enabled" if-permission="manageAction" allowed="{{currentCase.extraData.permissions.join(',')}}">
                                             <a href class="text-primary noline nowrap" ng-click="$vm.getCaseResponders(currentCase._id, true)" uib-dropdown-toggle>
                                                 <i class="text-primary fa fa-cog"></i>
                                                 <!-- Responders
diff --git a/frontend/app/views/partials/case/case.observables.html b/frontend/app/views/partials/case/case.observables.html
index 97dcdc0219..a595eeb299 100644
--- a/frontend/app/views/partials/case/case.observables.html
+++ b/frontend/app/views/partials/case/case.observables.html
@@ -64,12 +64,6 @@
 
 <div class="filter-panel" ng-include="'views/partials/observables/list/filters.html'" ng-show="filtering.context.showFilters"></div>
 
-<div class="row">
-    <div class="selection-options" ng-if="selection.Action === 'runAnalyzers'">
-        <div ng-include="'views/partials/observables/list/run-analyzers.html'"></div>
-    </div>
-</div>
-
 <br>
 <!-- Main page : Table + Text/CSV -->
 <div class="row">
diff --git a/frontend/app/views/partials/observables/list/observables.html b/frontend/app/views/partials/observables/list/observables.html
index 0f87116200..9de845ee31 100644
--- a/frontend/app/views/partials/observables/list/observables.html
+++ b/frontend/app/views/partials/observables/list/observables.html
@@ -62,7 +62,7 @@ <h4>
             <tr ng-repeat="artifact in artifacts.values">
                 <td class="p-0 bg-tlp-{{artifact.tlp}} clickable" ng-click="filterByTlp(artifact.tlp)"></td>
                 <td>
-                    <input type="checkbox" ng-model="artifact.selected" ng-change="selectArtifact(artifact)" >
+                    <input type="checkbox" ng-model="artifact.selected" ng-change="selectArtifact(artifact)" if-permission="manageObservable" allowed="{{artifact.extraData.permissions.join(',')}}">
                 </td>
                 <td>
                     <span ng-click="addFilterValue('ioc', artifact.ioc)" ng-if="artifact.ioc" class="clickable fa fa-star" uib-tooltip="is an IOC" tooltip-popup-delay="500" tooltip-placement="bottom"></span>
diff --git a/frontend/app/views/partials/observables/list/run-analyzers.html b/frontend/app/views/partials/observables/list/run-analyzers.html
deleted file mode 100644
index b061ad9a53..0000000000
--- a/frontend/app/views/partials/observables/list/run-analyzers.html
+++ /dev/null
@@ -1,30 +0,0 @@
-<div class="col-md-10 col-md-offset-1 bg-info" ng-switch="analyzersList.countActiveAnalyzers.total">
-
-    <div class="text-center" ng-switch-when="0">
-        <div class="vpad10 text-danger">
-            Sorry, there are currently no analyzers for the selected observable type(s)
-        </div>
-        <div class="vpad10">
-            <span class="btn btn-sm btn-default" ng-click="selection.Action='main';">Cancel</span>
-        </div>
-    </div>
-
-    <div class="p-xxs" ng-switch-default>
-    	<div class="mb-xxs text-center text-warning" ng-if="analyzersList.countDataTypes > 1">
-            Only a subset of the selected observables can be analyzed <strong>({{analyzersList.activeDataTypes.join(', ')}})</strong> and the remaining observables will be ignored
-        </div>
-        <div class="mb-xxs">
-            <a href class="mr-xxs" ng-click="selectAllAnalyzers(true)">Select All</a><a href class="ml-xxs" ng-click="selectAllAnalyzers(false)">Deselect All</a>
-        </div>
-        <ul class="list-unstyled mb-xxs">
-            <li ng-repeat="analyzer in analyzersList.analyzers | orderObjectBy:'name'" ng-show="analyzersList.active[analyzer.name]">
-                <input id="select_{{analyzer.name}}" value="{{analyzer.description}}" type="checkbox" ng-model="analyzersList.selected[analyzer.name]">
-                <label for="select_{{analyzer.name}}">{{analyzer.name}}</label>
-            </li>
-        </ul>
-        <div class="text-center mt-xxs">
-            <span class="btn btn-sm btn-primary" ng-click="runAnalyzerOnSelection();"><i class="glyphicon glyphicon-fire"></i> Run selected analyzers</span>
-            <span class="btn btn-sm btn-default" ng-click="selection.Action='main';">Cancel</span>
-        </div>
-    </div>
-</div>