Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create/Update notes and opinions specifying author with a different user #2109

Closed
SYNchroACK opened this issue May 25, 2022 · 3 comments · Fixed by #2317
Closed

Create/Update notes and opinions specifying author with a different user #2109

SYNchroACK opened this issue May 25, 2022 · 3 comments · Fixed by #2317
Assignees
@richard-julien
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 5.4.0

Comments

@SYNchroACK
Copy link
Contributor

SYNchroACK commented May 25, 2022
edited

Description

A user with only one role with the following permissions ...

image

Can specify the note author as admin or as organization:

Screenshot from 2022-05-25 07-11-35

The button to update a note that does not belong to the logged user is available and the edit panel shows up however it raises an error when we try to update it.

It is possible too for a user to create a new Opinion and specifying as author, for example, as the Admin and save it. Then, update the opinion to add a relation to another entity like a report.

I guess this is possible because Author is linked to Identifies which is not the same as OpenCTI users, however, should it be possible to users to change author of any entity? Or even if yes, should it be possible to create notes and opinions using another user name?

PS: I understand, it seems easy in first sight to solve the problem but conceptually is difficult due the mix between platform users/roles/permissions and stix author field as an Indentity.

Environment

OpenCTI version: 5.2.4
@SYNchroACK SYNchroACK changed the title Create/Update notes specifying author with a different user Create/Update notes and opinions specifying author with a different user May 25, 2022
@richard-julien richard-julien added the question Further information is requested label May 25, 2022
@richard-julien
Copy link
Member

@SamuelHassine any opinion on that? Not really clear for me what could be the correct behavior.

@SamuelHassine
Copy link
Member

@richard-julien yes, I agree with @SYNchroACK, we have to find a way to enforce more permissions on the "notes" usage, and have a new role to override the author (at creation or modification).

@SamuelHassine SamuelHassine added feature use for describing a new feature to develop and removed question Further information is requested labels May 25, 2022
@SamuelHassine SamuelHassine added this to the Release 5.4.0 milestone May 25, 2022
@SamuelHassine
Copy link
Member

Linked to #2188 and the "note" new capability we have to implement.

@richard-julien richard-julien linked a pull request Oct 3, 2022 that will close this issue
[api/frontend] Add organizations restrictions on top of markings to increase data segregation possibilities (#2188) #2317
Merged
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@richard-julien richard-julien

Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 5.4.0
3 participants
@richard-julien @SamuelHassine @SYNchroACK