#251 Check user status before creating authContext

TheHive-Project · Jul 5, 2017 · ff56992 · ff56992
1 parent efc346d
commit ff56992
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,7 @@
 - Alert can contain inconsistent data [\#234](https://github.com/CERT-BDF/TheHive/issues/234)
 - Search do not work with non-latin characters [\#223](https://github.com/CERT-BDF/TheHive/issues/223)
 - report status not updated after finish [\#212](https://github.com/CERT-BDF/TheHive/issues/212)
+- A locked user can use the API to create / delete / list cases \(and more\) [\#250](https://github.com/CERT-BDF/TheHive/issues/250)
 
 ## [2.11.3](https://github.com/CERT-BDF/TheHive/tree/2.11.3) (2017-06-14)
 [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/debian/2.11.2...2.11.3)

diff --git a/thehive-backend/app/controllers/AuthenticationCtrl.scala b/thehive-backend/app/controllers/AuthenticationCtrl.scala
@@ -3,7 +3,7 @@ package controllers
 import javax.inject.{ Inject, Singleton }
 
 import models.UserStatus
-import org.elastic4play.Timed
+import org.elastic4play.{ AuthorizationError, Timed }
 import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer }
 import org.elastic4play.database.DBIndex
 import org.elastic4play.services.AuthSrv
@@ -34,7 +34,7 @@ class AuthenticationCtrl @Inject() (
           if (user.status() == UserStatus.Ok)
             authenticated.setSessingUser(Ok, authContext)
           else
-            Unauthorized("Your account is locked")
+            throw AuthorizationError("Your account is locked")
         }
     }
   }

diff --git a/thehive-backend/app/services/UserSrv.scala b/thehive-backend/app/services/UserSrv.scala
@@ -1,26 +1,18 @@
 package services
 
-import javax.inject.{ Inject, Named, Singleton }
-
-import scala.annotation.implicitNotFound
-import scala.concurrent.{ ExecutionContext, Future }
+import javax.inject.{ Inject, Provider, Singleton }
 
 import akka.NotUsed
-import akka.actor.{ ActorRef, actorRef2Scala }
 import akka.stream.scaladsl.Source
-
-import play.api.mvc.RequestHeader
-
-import org.elastic4play.AuthenticationError
+import models.{ User, UserModel, UserStatus }
 import org.elastic4play.controllers.Fields
 import org.elastic4play.database.DBIndex
-import org.elastic4play.services.{ AuthContext, CreateSrv, DeleteSrv, FindSrv, GetSrv, QueryDef, Role, UpdateSrv }
+import org.elastic4play.services._
 import org.elastic4play.utils.Instance
+import org.elastic4play.{ AuthenticationError, AuthorizationError }
+import play.api.mvc.RequestHeader
 
-import models.{ User, UserModel }
-import org.elastic4play.services.EventSrv
-import org.elastic4play.services.AuthSrv
-import javax.inject.Provider
+import scala.concurrent.{ ExecutionContext, Future }
 
 @Singleton
 class UserSrv @Inject() (
@@ -42,7 +34,13 @@ class UserSrv @Inject() (
       .flatMap { user ⇒ getFromUser(request, user) }
   }
 
-  override def getFromUser(request: RequestHeader, user: org.elastic4play.services.User): Future[AuthContext] = Future.successful(AuthContextImpl(user.id, user.getUserName, Instance.getRequestId(request), user.getRoles))
+  override def getFromUser(request: RequestHeader, user: org.elastic4play.services.User): Future[AuthContext] = {
+    user match {
+      case u: User if u.status() == UserStatus.Ok ⇒ Future.successful(AuthContextImpl(user.id, user.getUserName, Instance.getRequestId(request), user.getRoles))
+      case _                                      ⇒ Future.failed(AuthorizationError("Your account is locked"))
+    }
+
+  }
 
   override def getInitialUser(request: RequestHeader): Future[AuthContext] =
     dbIndex.getSize(userModel.name).map {