From ff569922b912e9ac5b69105ae0519da730442b99 Mon Sep 17 00:00:00 2001 From: To-om Date: Wed, 5 Jul 2017 16:03:55 +0200 Subject: [PATCH] #251 Check user status before creating authContext --- CHANGELOG.md | 1 + .../app/controllers/AuthenticationCtrl.scala | 4 +-- thehive-backend/app/services/UserSrv.scala | 28 +++++++++---------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ca5f608373..2508527dce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ - Alert can contain inconsistent data [\#234](https://github.com/CERT-BDF/TheHive/issues/234) - Search do not work with non-latin characters [\#223](https://github.com/CERT-BDF/TheHive/issues/223) - report status not updated after finish [\#212](https://github.com/CERT-BDF/TheHive/issues/212) +- A locked user can use the API to create / delete / list cases \(and more\) [\#250](https://github.com/CERT-BDF/TheHive/issues/250) ## [2.11.3](https://github.com/CERT-BDF/TheHive/tree/2.11.3) (2017-06-14) [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/debian/2.11.2...2.11.3) diff --git a/thehive-backend/app/controllers/AuthenticationCtrl.scala b/thehive-backend/app/controllers/AuthenticationCtrl.scala index 3cc3f51c1c..7a0a360026 100644 --- a/thehive-backend/app/controllers/AuthenticationCtrl.scala +++ b/thehive-backend/app/controllers/AuthenticationCtrl.scala @@ -3,7 +3,7 @@ package controllers import javax.inject.{ Inject, Singleton } import models.UserStatus -import org.elastic4play.Timed +import org.elastic4play.{ AuthorizationError, Timed } import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } import org.elastic4play.database.DBIndex import org.elastic4play.services.AuthSrv @@ -34,7 +34,7 @@ class AuthenticationCtrl @Inject() ( if (user.status() == UserStatus.Ok) authenticated.setSessingUser(Ok, authContext) else - Unauthorized("Your account is locked") + throw AuthorizationError("Your account is locked") } } } diff --git a/thehive-backend/app/services/UserSrv.scala b/thehive-backend/app/services/UserSrv.scala index 9c8bea39a1..ec759bcb37 100644 --- a/thehive-backend/app/services/UserSrv.scala +++ b/thehive-backend/app/services/UserSrv.scala @@ -1,26 +1,18 @@ package services -import javax.inject.{ Inject, Named, Singleton } - -import scala.annotation.implicitNotFound -import scala.concurrent.{ ExecutionContext, Future } +import javax.inject.{ Inject, Provider, Singleton } import akka.NotUsed -import akka.actor.{ ActorRef, actorRef2Scala } import akka.stream.scaladsl.Source - -import play.api.mvc.RequestHeader - -import org.elastic4play.AuthenticationError +import models.{ User, UserModel, UserStatus } import org.elastic4play.controllers.Fields import org.elastic4play.database.DBIndex -import org.elastic4play.services.{ AuthContext, CreateSrv, DeleteSrv, FindSrv, GetSrv, QueryDef, Role, UpdateSrv } +import org.elastic4play.services._ import org.elastic4play.utils.Instance +import org.elastic4play.{ AuthenticationError, AuthorizationError } +import play.api.mvc.RequestHeader -import models.{ User, UserModel } -import org.elastic4play.services.EventSrv -import org.elastic4play.services.AuthSrv -import javax.inject.Provider +import scala.concurrent.{ ExecutionContext, Future } @Singleton class UserSrv @Inject() ( @@ -42,7 +34,13 @@ class UserSrv @Inject() ( .flatMap { user ⇒ getFromUser(request, user) } } - override def getFromUser(request: RequestHeader, user: org.elastic4play.services.User): Future[AuthContext] = Future.successful(AuthContextImpl(user.id, user.getUserName, Instance.getRequestId(request), user.getRoles)) + override def getFromUser(request: RequestHeader, user: org.elastic4play.services.User): Future[AuthContext] = { + user match { + case u: User if u.status() == UserStatus.Ok ⇒ Future.successful(AuthContextImpl(user.id, user.getUserName, Instance.getRequestId(request), user.getRoles)) + case _ ⇒ Future.failed(AuthorizationError("Your account is locked")) + } + + } override def getInitialUser(request: RequestHeader): Future[AuthContext] = dbIndex.getSize(userModel.name).map {