From 6dc0736f70f0a28bd24157b4359ad9a5e2a68bd7 Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Sat, 23 May 2020 09:42:56 +0200
Subject: [PATCH] #1353 Query: "assignableUsers" of a task An user is
 assignable to a task if he has manageTask on it and is in a visible
 organisation (from current user)

---
 .../thp/thehive/controllers/v0/TaskCtrl.scala   |  3 ++-
 .../thp/thehive/controllers/v1/TaskCtrl.scala   |  5 ++++-
 .../thp/thehive/services/OrganisationSrv.scala  |  7 ++++---
 .../app/org/thp/thehive/services/TaskSrv.scala  | 17 +++++++++++++----
 4 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
index cf2f0d6f03..ccb681c6a0 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
@@ -46,7 +46,8 @@ class TaskCtrl @Inject() (
   )
   override val outputQuery: Query = Query.output[RichTask, TaskSteps](_.richTask)
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
-    Query.output[(RichTask, Option[RichCase])]
+    Query.output[(RichTask, Option[RichCase])],
+    Query[TaskSteps, UserSteps]("assignableUsers", (taskSteps, authContext) => taskSteps.assignableUsers(authContext))
   )
 
   def create(caseId: String): Action[AnyContent] =
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
index c64be6d8e1..635a6c4635 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -9,7 +9,7 @@ import org.thp.scalligraph.steps.StepsOps._
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputTask
 import org.thp.thehive.models.{Permissions, RichTask}
-import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv, TaskSteps}
+import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv, TaskSteps, UserSteps}
 import play.api.mvc.{Action, AnyContent, Results}
 
 import scala.util.Success
@@ -40,6 +40,9 @@ class TaskCtrl @Inject() (
     (param, graph, authContext) => taskSrv.get(param.idOrName)(graph).visible(authContext)
   )
   override val outputQuery: Query = Query.output[RichTask, TaskSteps](_.richTask)
+  override val extraQueries: Seq[ParamQuery[_]] = Seq(
+    Query[TaskSteps, UserSteps]("assignableUsers", (taskSteps, authContext) => taskSteps.assignableUsers(authContext))
+  )
 
   def create: Action[AnyContent] =
     entrypoint("create task")
diff --git a/thehive/app/org/thp/thehive/services/OrganisationSrv.scala b/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
index 58a35b71d0..a4dfdd7a8a 100644
--- a/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
+++ b/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.services
 
 import gremlin.scala._
-import scala.collection.JavaConverters._
 
+import scala.collection.JavaConverters._
 import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.{BadRequestError, EntitySteps, RichSeq}
-import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
@@ -14,6 +14,7 @@ import org.thp.scalligraph.steps.{Traversal, VertexSteps}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import play.api.libs.json.JsObject
+
 import scala.util.{Failure, Success, Try}
 
 object OrganisationSrv {
@@ -119,7 +120,7 @@ class OrganisationSteps(raw: GremlinScala[Vertex])(implicit db: Database, graph:
 
   def caseTemplates: CaseTemplateSteps = new CaseTemplateSteps(raw.inTo[CaseTemplateOrganisation])
 
-  def users(requiredPermission: String): UserSteps = new UserSteps(
+  def users(requiredPermission: Permission): UserSteps = new UserSteps(
     raw
       .inTo[RoleOrganisation]
       .filter(_.outTo[RoleProfile].has(Key("permissions") of requiredPermission))
diff --git a/thehive/app/org/thp/thehive/services/TaskSrv.scala b/thehive/app/org/thp/thehive/services/TaskSrv.scala
index b4be56c12e..ccc53c4668 100644
--- a/thehive/app/org/thp/thehive/services/TaskSrv.scala
+++ b/thehive/app/org/thp/thehive/services/TaskSrv.scala
@@ -2,10 +2,6 @@ package org.thp.thehive.services
 
 import java.util.Date
 
-import scala.util.{Failure, Success, Try}
-
-import play.api.libs.json.{JsNull, JsObject, Json}
-
 import gremlin.scala._
 import javax.inject.{Inject, Provider, Singleton}
 import org.thp.scalligraph.EntitySteps
@@ -16,6 +12,9 @@ import org.thp.scalligraph.services._
 import org.thp.scalligraph.steps.StepsOps._
 import org.thp.scalligraph.steps.{Traversal, TraversalLike, VertexSteps}
 import org.thp.thehive.models.{TaskStatus, _}
+import play.api.libs.json.{JsNull, JsObject, Json}
+
+import scala.util.{Failure, Success, Try}
 
 @Singleton
 class TaskSrv @Inject() (caseSrvProvider: Provider[CaseSrv], auditSrv: AuditSrv, logSrv: LogSrv)(implicit db: Database)
@@ -136,6 +135,16 @@ class TaskSteps(raw: GremlinScala[Vertex])(implicit db: Database, graph: Graph)
 
   def user = new UserSteps(raw.outTo[TaskUser])
 
+  def organisations = new OrganisationSteps(raw.inTo[ShareTask].inTo[OrganisationShare])
+  def organisations(permission: Permission) =
+    new OrganisationSteps(raw.inTo[ShareTask].filter(_.outTo[ShareProfile].has(Key("permissions") of permission)).inTo[OrganisationShare])
+
+  def assignableUsers(implicit authContext: AuthContext): UserSteps =
+    organisations(Permissions.manageTask)
+      .visible
+      .users(Permissions.manageTask)
+      .dedup
+
   def richTask: Traversal[RichTask, RichTask] =
     Traversal(
       raw