From 6de94563ce755ce2513f20e70a516089ea1ec38f Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Fri, 6 Mar 2020 16:24:06 +0100
Subject: [PATCH] #1253 Add an organisation parameter in delete user API

---
 .../thp/thehive/controllers/v1/Router.scala   | 24 +++++++++----------
 .../thp/thehive/controllers/v1/UserCtrl.scala |  8 +++----
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/thehive/app/org/thp/thehive/controllers/v1/Router.scala b/thehive/app/org/thp/thehive/controllers/v1/Router.scala
index cd338a6b34..28891997f7 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/Router.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/Router.scala
@@ -46,18 +46,18 @@ class Router @Inject() (
     case PATCH(p"/caseTemplate/$caseTemplateId") => caseTemplateCtrl.update(caseTemplateId)
     //case DELETE(p"/caseTemplate/$caseTemplateId") ⇒ caseTemplateCtrl.delete(caseTemplateId)
 
-    case POST(p"/user")                         => userCtrl.create
-    case GET(p"/user/current")                  => userCtrl.current
-    case GET(p"/user/$userId")                  => userCtrl.get(userId)
-    case PATCH(p"/user/$userId")                => userCtrl.update(userId)
-    case DELETE(p"/user/$userId")               => userCtrl.lock(userId)
-    case DELETE(p"/user/$userId/force")         => userCtrl.delete(userId)
-    case POST(p"/user/$userId/password/set")    => userCtrl.setPassword(userId)
-    case POST(p"/user/$userId/password/change") => userCtrl.changePassword(userId)
-    case GET(p"/user/$userId/key")              => userCtrl.getKey(userId)
-    case DELETE(p"/user/$userId/key")           => userCtrl.removeKey(userId)
-    case POST(p"/user/$userId/key/renew")       => userCtrl.renewKey(userId)
-    case GET(p"/user/$userId/avatar$file*")     => userCtrl.avatar(userId)
+    case POST(p"/user")                                                   => userCtrl.create
+    case GET(p"/user/current")                                            => userCtrl.current
+    case GET(p"/user/$userId")                                            => userCtrl.get(userId)
+    case PATCH(p"/user/$userId")                                          => userCtrl.update(userId)
+    case DELETE(p"/user/$userId")                                         => userCtrl.lock(userId)
+    case DELETE(p"/user/$userId/force" ? q_o"organisation=$organisation") => userCtrl.delete(userId, organisation)
+    case POST(p"/user/$userId/password/set")                              => userCtrl.setPassword(userId)
+    case POST(p"/user/$userId/password/change")                           => userCtrl.changePassword(userId)
+    case GET(p"/user/$userId/key")                                        => userCtrl.getKey(userId)
+    case DELETE(p"/user/$userId/key")                                     => userCtrl.removeKey(userId)
+    case POST(p"/user/$userId/key/renew")                                 => userCtrl.renewKey(userId)
+    case GET(p"/user/$userId/avatar$file*")                               => userCtrl.avatar(userId)
 
     case POST(p"/organisation")                  => organisationCtrl.create
     case GET(p"/organisation/$organisationId")   => organisationCtrl.get(organisationId)
diff --git a/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala
index 22fce9e1ff..14c6b5173f 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala
@@ -102,13 +102,13 @@ class UserCtrl @Inject() (
         } yield Results.NoContent
       }
 
-  def delete(userId: String): Action[AnyContent] =
+  def delete(userId: String, organisation: Option[String]): Action[AnyContent] =
     entrypoint("delete user")
       .authTransaction(db) { implicit request => implicit graph =>
         for {
-          organisation <- userSrv.current.organisations(Permissions.manageUser).has("name", request.organisation).getOrFail()
-          user         <- organisationSrv.get(organisation).users.get(userId).getOrFail()
-          _            <- userSrv.delete(user, organisation)
+          org  <- organisationSrv.getOrFail(organisation.getOrElse(request.organisation))
+          user <- userSrv.current.organisations(Permissions.manageUser).users.get(userId).getOrFail()
+          _    <- userSrv.delete(user, org)
         } yield Results.NoContent
       }