Users without "bypass all capabilities" are unable to remove TLP markings from reports

[rach24smith]

Description

When attempting to remove TLP markings from reports that contain multiple markings, the action is rejected and instead I receive an error. When the user has elevated permissions and has "bypass all capabilities" enabled, they are able to perform the change no problem.

Environment

1. OS (where OpenCTI server runs): MAC OS
2. OpenCTI version: 5.9.6
3. OpenCTI client: frontend
4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Create a user with all role permissions other than the "bypass all capabilities"
2. Go in the dashboard into Analysis -> Reports and select a report
3. Add a secondary TLP label (or find a report with multiple TLP labels)
4. Select the edit button in the bottom right corner of the report
5. Select the X beside one of the TLP labels you wish to remove

Expected Output

We would expect that the TLP label would be removed.

Actual Output

The TLP label is not removed, and instead we get an error:

{
    "errors": [
        {
            "message": "Business validation",
            "name": "AlreadyDeletedError",
            "time_thrown": "2023-07-28T21:25:41.806Z",
            "data": {
                "reason": "Already deleted elements",
                "http_status": 400,
                "category": "business",
                "id": "af30b3de-c089-4de9-91c1-f8997ad2a5e0"
            }
        }
    ],
    "data": {
        "reportEdit": {
            "relationDelete": null
        }
    }
}

Additional information

When we update the user's role to have the permissions "bypass all capabilities", the user is able to remove TLP labels. When the user has all permissions enabled EXCEPT "bypass all capabilities", they are not able to perform the action. Because of this, I think it might be an issue with permissions.

Screenshots (optional)

[helene-nguyen]

Hello!
I haven't been able to reproduce the bug for when the user has all permissions enabled except "bypass all capabilities".

Here are the tests I've done.
User in a group that has a role that has:

• "bypass all capabilities" AND all TLP markings set as allowed markings (first to check if it works properly) => user can remove markings as expected
• "Access knowledge" capabilities checked AND all TLP markings set as allowed markings => user cannot access the create/update or delete report button
• "Access knowledge" AND "Create/Update knowledge" capabilities checked AND all TLP markings set as allowed markings => user can access the create/update report button and can add and remove markings

Can you be more precise about the Role capabilities set?

You'll find below the capabilities allowing you to update the report

[rach24smith]

Hi Helen! Thanks so much for the response. I have tried to reproduce the issue this week and it appears to be resolved! Thank you so much for your time on this and efforts! I will re-open the ticket or make a new one if the issue persists.