From 6fe7a129769c59751f0ab0bc514a2ce0fbe00b06 Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Mon, 21 Sep 2020 17:53:18 +0200
Subject: [PATCH] #1545 Fix permission check in task creation

---
 .../app/org/thp/thehive/controllers/v0/TaskCtrl.scala  |  2 +-
 .../app/org/thp/thehive/controllers/v1/TaskCtrl.scala  |  3 ++-
 thehive/app/org/thp/thehive/services/CaseSrv.scala     | 10 +---------
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
index a54cd71bfe..bdc3ab160c 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
@@ -37,7 +37,7 @@ class TaskCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val inputTask: InputTask = request.body("task")
         for {
-          case0        <- caseSrv.getOrFail(caseId)
+          case0        <- caseSrv.get(caseId).can(Permissions.manageTask).getOrFail("Case")
           owner        <- inputTask.owner.map(userSrv.getOrFail).flip
           createdTask  <- taskSrv.create(inputTask.toTask, owner)
           organisation <- organisationSrv.getOrFail(request.organisation)
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
index 32470eb1d1..2f132f8109 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -10,6 +10,7 @@ import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputTask
 import org.thp.thehive.models._
 import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv}
@@ -66,7 +67,7 @@ class TaskCtrl @Inject() (
         val inputTask: InputTask = request.body("task")
         val caseId: String       = request.body("caseId")
         for {
-          case0        <- caseSrv.getOrFail(caseId)
+          case0        <- caseSrv.get(caseId).can(Permissions.manageTask).getOrFail("Case")
           createdTask  <- taskSrv.create(inputTask.toTask, None)
           organisation <- organisationSrv.getOrFail(request.organisation)
           _            <- shareSrv.shareTask(createdTask, case0, organisation)
diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
index 97eb3c1542..856d2aff3d 100644
--- a/thehive/app/org/thp/thehive/services/CaseSrv.scala
+++ b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -1,6 +1,6 @@
 package org.thp.thehive.services
 
-import java.util.{List => JList, Map => JMap}
+import java.util.{Map => JMap}
 
 import akka.actor.ActorRef
 import javax.inject.{Inject, Named, Singleton}
@@ -459,14 +459,6 @@ object CaseOps {
     def linkedCases(implicit authContext: AuthContext): Seq[(RichCase, Seq[RichObservable])] = {
       val originCaseLabel = StepLabel.v[Case]
       val observableLabel = StepLabel.v[Observable]
-      val linkedCaseLabel = StepLabel.v[Case]
-
-      val richCaseLabel = StepLabel[RichCase, JMap[String, Any], Converter[RichCase, JMap[String, Any]]]
-      val richObservablesLabel =
-        StepLabel[Seq[RichObservable], JList[JMap[String, Any]], Converter.CList[RichObservable, JMap[String, Any], Converter[
-          RichObservable,
-          JMap[String, Any]
-        ]]]
       traversal
         .as(originCaseLabel)
         .observables