From dceb673c74e07a029901c503e45ec37786cb1cdc Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Thu, 11 Mar 2021 13:11:39 +0100
Subject: [PATCH] #1264 Move permission check from service to controller

---
 thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala | 6 ++++++
 thehive/app/org/thp/thehive/services/CaseSrv.scala        | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
index 46a053ed8b..4a2459ac8c 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
@@ -137,6 +137,12 @@ class CaseCtrl @Inject() (
     entrypoint("delete a custom field")
       .authPermittedTransaction(db, Permissions.manageCase) { implicit request => implicit graph =>
         for {
+          _ <-
+            caseSrv
+              .caseCustomFieldSrv
+              .get(EntityIdOrName(cfId))
+              .filter(_.outV.v[Case].can(Permissions.manageCase))
+              .existsOrFail
           _ <- caseSrv.deleteCustomField(EntityIdOrName(cfId))
         } yield Results.NoContent
       }
diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
index 9979752e5e..e45908d100 100644
--- a/thehive/app/org/thp/thehive/services/CaseSrv.scala
+++ b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -265,7 +265,7 @@ class CaseSrv @Inject() (
     Try(
       caseCustomFieldSrv
         .get(cfIdOrName)
-        .filter(_.outV.v[Case].can(Permissions.manageCase))
+        .filter(_.outV.v[Case])
         .remove()
     )