[frontend/backend] Verify access to csv mapper in UI and API (#5954) #5979
Conversation
| @@ -715,48 +715,50 @@ const LeftBar = () => { | |||
| )} | |||
| </MenuList> | |||
| </Security> | |||
| <Security needs={[EXPLORE]}> | |||
| <Security needs={[EXPLORE, MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS, TAXIIAPI_SETCSVMAPPERS]}> | |||
There was a problem hiding this comment.
Here we had 2 <Security> one inside the other, and the top one was not including "MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS" that was used inside.
So it was like:
<Security needs={[EXPLORE]}>
<Security needs={[MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS]}>
</Security>
</Security>
Now it's:
<Security needs={[EXPLORE, MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS, TAXIIAPI_SETCSVMAPPERS]}>
<Security needs={[EXPLORE]}>
</Security>
<Security needs={[MODULES, KNOWLEDGE, TAXIIAPI_SETCOLLECTIONS, TAXIIAPI_SETCSVMAPPERS]}>
</Security>
</Security>
| @@ -109,8 +104,8 @@ const Root = () => { | |||
| path="/dashboard/data/processing" | |||
| render={() => ( | |||
| <Security | |||
| needs={[SETTINGS_SETACCESSES]} | |||
| placeholder={<Redirect to="/dashboard/data/processing/tasks" />} | |||
| needs={[KNOWLEDGE_KNUPDATE, SETTINGS_SETACCESSES, TAXIIAPI_SETCSVMAPPERS]} | |||
There was a problem hiding this comment.
inside /dashboard/data/processing some part are allowed to KNOWLEDGE_KNUPDATE and it was missing, and some part are allowed to TAXIIAPI_SETCSVMAPPERS too.
aHenryJard
changed the title
aHenryJard
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5979 +/- ##
==========================================
+ Coverage 65.44% 67.24% +1.79%
==========================================
Files 539 539
Lines 63059 63534 +475
Branches 5051 6187 +1136
==========================================
+ Hits 41271 42724 +1453
+ Misses 21788 20810 -978 ☔ View full report in Codecov by Sentry. |
| <RelayEnvironmentProvider environment={environment}> | ||
| <AppIntlProvider settings={{ platform_language: 'auto' }}> | ||
| <ThemeProvider theme={createTheme()}> | ||
| <UserContext.Provider value={AdminContext}> | ||
| <Security needs={[KNOWLEDGE_KNUPDATE, EXPLORE_EXUPDATE]}> |
There was a problem hiding this comment.
Well done for the tests ! It could be nice to have a helper test component like <TestApp...> that instantiate all those providers to avoid duplicating those lines that pollute the tests readings
There was a problem hiding this comment.
Thanks ! This is my first React/frontend test so I did as fast as possible since it's a critical bug. Next time I will look for the reuse part :)
opencti-platform/opencti-front/src/__tests__/components/Security.test.tsx
Outdated
Show resolved
Hide resolved
|
I have tested it locally. When navigating to CSV mappers through the sidebar (Data > Processing), the user is redirected to the login page. |
As far as I understand, the redirect to login occurs when there is a response "Forbidden" from API, so hard to tell which capabilities are required for everything, every API call and so on. The reference page today is https://docs.opencti.io/latest/administration/users/ For csv mapper you should only need "Access data sharing & ingestion > Manage CSV mappers" or "TAXIIAPI_SETCSVMAPPERS" in code source, if there is a login redirect then there is still an issue. I will test again. |
|
Tested again right now: with this configuration: I have access to csv mapper: |
|
As we have discussed, the user only had the right capability and could not access the settings to enable Enterprise Edition. I am checking again. |
Proposed changes
<Security>component since it's used a lot@auth(for: [TAXIIAPI_SETCSVMAPPERS]), + added a tests to keep it protected in the futureyarn test:watchcommand for local test development.Related issues
Manual tests done locally
Checklist
Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...