#1264 Move permission check from service to controller

TheHive-Project · Mar 11, 2021 · dceb673 · dceb673
1 parent 6066a58
commit dceb673
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
@@ -137,6 +137,12 @@ class CaseCtrl @Inject() (
     entrypoint("delete a custom field")
       .authPermittedTransaction(db, Permissions.manageCase) { implicit request => implicit graph =>
         for {
+          _ <-
+            caseSrv
+              .caseCustomFieldSrv
+              .get(EntityIdOrName(cfId))
+              .filter(_.outV.v[Case].can(Permissions.manageCase))
+              .existsOrFail
           _ <- caseSrv.deleteCustomField(EntityIdOrName(cfId))
         } yield Results.NoContent
       }

diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -265,7 +265,7 @@ class CaseSrv @Inject() (
     Try(
       caseCustomFieldSrv
         .get(cfIdOrName)
-        .filter(_.outV.v[Case].can(Permissions.manageCase))
+        .filter(_.outV.v[Case])
         .remove()
     )