opencti
opencti copied to clipboard
OpenCTI-Platform
[backend] check user access rights before deletion and merging (#6421)
Proposed changes
- We now check that the user has access to all related relations before deleting
Related issues
- #6421
Checklist
- [x] I consider the submitted work as finished
- [x] I tested the code for its functionality
- [ ] I wrote test cases for the relevant uses case (coverage and e2e)
- [ ] I added/update the relevant documentation (either on github or on notion)
- [ ] Where necessary I refactored code to improve the overall quality
Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 67.43%. Comparing base (
9b9bc01) to head (74ac904).
Additional details and impacted files
@@ Coverage Diff @@
## master #6811 +/- ##
=======================================
Coverage 67.43% 67.43%
=======================================
Files 561 561
Lines 68563 68568 +5
Branches 5719 5722 +3
=======================================
+ Hits 46233 46238 +5
Misses 22330 22330
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue happens not only when deleting an object but also when merging 2 entities.
repro case:
- Malware X
targetsCity1, relationship marking RED - Malware X
targetsCity2, relationship marking GREEN - Log in with user only allowed for GREEN, but with capa to merge knowledge
- Merge City1 into City2
--> Merge is ok, but if you look at Malware X victimology, you see a "Restricted" (the City1 that has been deleted by the merge).
linked to https://github.com/OpenCTI-Platform/opencti/pull/6821
I just make sure we don not crash