-
Notifications
You must be signed in to change notification settings - Fork 799
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[frontend/backend] Verify access to csv mapper in UI and API (#5954) #5979
Conversation
@@ -715,48 +715,50 @@ const LeftBar = () => { | |||
)} | |||
</MenuList> | |||
</Security> | |||
<Security needs={[EXPLORE]}> | |||
<Security needs={[EXPLORE, MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS, TAXIIAPI_SETCSVMAPPERS]}> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we had 2 <Security>
one inside the other, and the top one was not including "MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS" that was used inside.
So it was like:
<Security needs={[EXPLORE]}>
<Security needs={[MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS]}>
</Security>
</Security>
Now it's:
<Security needs={[EXPLORE, MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS, TAXIIAPI_SETCSVMAPPERS]}>
<Security needs={[EXPLORE]}>
</Security>
<Security needs={[MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS, TAXIIAPI_SETCSVMAPPERS]}>
</Security>
</Security>
@@ -109,8 +104,8 @@ const Root = () => { | |||
path="/dashboard/data/processing" | |||
render={() => ( | |||
<Security | |||
needs={[SETTINGS_SETACCESSES]} | |||
placeholder={<Redirect to="/dashboard/data/processing/tasks" />} | |||
needs={[KNOWLEDGE_KNUPDATE, SETTINGS_SETACCESSES, TAXIIAPI_SETCSVMAPPERS]} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
inside /dashboard/data/processing some part are allowed to KNOWLEDGE_KNUPDATE and it was missing, and some part are allowed to TAXIIAPI_SETCSVMAPPERS too.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5979 +/- ##
==========================================
+ Coverage 65.44% 67.24% +1.79%
==========================================
Files 539 539
Lines 63059 63534 +475
Branches 5051 6187 +1136
==========================================
+ Hits 41271 42724 +1453
+ Misses 21788 20810 -978 ☔ View full report in Codecov by Sentry. |
<RelayEnvironmentProvider environment={environment}> | ||
<AppIntlProvider settings={{ platform_language: 'auto' }}> | ||
<ThemeProvider theme={createTheme()}> | ||
<UserContext.Provider value={AdminContext}> | ||
<Security needs={[KNOWLEDGE_KNUPDATE, EXPLORE_EXUPDATE]}> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well done for the tests ! It could be nice to have a helper test component like <TestApp...>
that instantiate all those providers to avoid duplicating those lines that pollute the tests readings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks ! This is my first React/frontend test so I did as fast as possible since it's a critical bug. Next time I will look for the reuse part :)
opencti-platform/opencti-front/src/__tests__/components/Security.test.tsx
Outdated
Show resolved
Hide resolved
I have tested it locally. When navigating to CSV mappers through the sidebar (Data > Processing), the user is redirected to the login page. |
As far as I understand, the redirect to login occurs when there is a response "Forbidden" from API, so hard to tell which capabilities are required for everything, every API call and so on. The reference page today is https://docs.opencti.io/latest/administration/users/ For csv mapper you should only need "Access data sharing & ingestion > Manage CSV mappers" or "TAXIIAPI_SETCSVMAPPERS" in code source, if there is a login redirect then there is still an issue. I will test again. |
As we have discussed, the user only had the right capability and could not access the settings to enable Enterprise Edition. I am checking again. |
Proposed changes
<Security>
component since it's used a lot@auth(for: [TAXIIAPI_SETCSVMAPPERS])
, + added a tests to keep it protected in the futureyarn test:watch
command for local test development.Related issues
Manual tests done locally
Checklist
Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...