#1545 Fix permission check in task creation

TheHive-Project · Nov 13, 2020 · 6c48c56 · 6c48c56
1 parent 13dffe0
commit 6c48c56
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 11 deletions.
diff --git a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
@@ -37,7 +37,7 @@ class TaskCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val inputTask: InputTask = request.body("task")
         for {
-          case0        <- caseSrv.getOrFail(caseId)
+          case0        <- caseSrv.get(caseId).can(Permissions.manageTask).getOrFail("Case")
           owner        <- inputTask.owner.map(userSrv.getOrFail).flip
           createdTask  <- taskSrv.create(inputTask.toTask, owner)
           organisation <- organisationSrv.getOrFail(request.organisation)

diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -10,6 +10,7 @@ import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputTask
 import org.thp.thehive.models._
 import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv}
@@ -66,7 +67,7 @@ class TaskCtrl @Inject() (
         val inputTask: InputTask = request.body("task")
         val caseId: String       = request.body("caseId")
         for {
-          case0        <- caseSrv.getOrFail(caseId)
+          case0        <- caseSrv.get(caseId).can(Permissions.manageTask).getOrFail("Case")
           createdTask  <- taskSrv.create(inputTask.toTask, None)
           organisation <- organisationSrv.getOrFail(request.organisation)
           _            <- shareSrv.shareTask(createdTask, case0, organisation)

diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -1,6 +1,6 @@
 package org.thp.thehive.services
 
-import java.util.{List => JList, Map => JMap}
+import java.util.{Map => JMap}
 
 import akka.actor.ActorRef
 import javax.inject.{Inject, Named, Singleton}
@@ -459,14 +459,6 @@ object CaseOps {
     def linkedCases(implicit authContext: AuthContext): Seq[(RichCase, Seq[RichObservable])] = {
       val originCaseLabel = StepLabel.v[Case]
       val observableLabel = StepLabel.v[Observable]
-      val linkedCaseLabel = StepLabel.v[Case]
-
-      val richCaseLabel = StepLabel[RichCase, JMap[String, Any], Converter[RichCase, JMap[String, Any]]]
-      val richObservablesLabel =
-        StepLabel[Seq[RichObservable], JList[JMap[String, Any]], Converter.CList[RichObservable, JMap[String, Any], Converter[
-          RichObservable,
-          JMap[String, Any]
-        ]]]
       traversal
         .as(originCaseLabel)
         .observables