opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Need to refresh to take into account user max shareable markings after update

Open Archidoit opened this issue 1 year ago • 3 comments

Description

If the maximum shareable markings of a user change, it is not taken into account except if the user refreshes the page.

Reproducible Steps

  • Log in as a user that is in a group with max shareable marking for TLP = No restrictions

  • Try to share a dashboard, all the user allowed TLP markings are available in the 'max level of markings' list image

  • Log in another session as an adminstrator. Update the group of the user with max shareable marking for TLP = Not shareable.

  • The user can still see all the TLP markings in the list.

  • Refresh the page.

  • The user don't see any TLP marking in the list.

Expected output

No need to refresh to update a logged user max shareable markings after they have been changed in the user group.

Actual output

Need to refresh to take into account the user max shareable markings update

Archidoit avatar Jun 13 '24 14:06 Archidoit

When a group maximum shareable markings are updated, the 'groupSessionRefresh' method is called (in groupEditField) to refresh the users of the group sessions. But this doesn't work.

Archidoit avatar Jun 13 '24 14:06 Archidoit

Reproduced. There's at least an erorr trhown to the user if the user selects a marking which is he has not access anymore & click on share: "RRNLRequestError: Relay request for WorkspaceShareButtonCreateMutation failed by the following reasons: 1. You are not allowed to share these markings. publicDashboardAdd(input: $input) { ^^^".

So it's more a UI issue rather than a risk of data breach.

nino-filigran avatar Jun 14 '24 07:06 nino-filigran

Same issue with the update of confidence level. When I try to create a new entity, I need to refresh to take into account the update.

CelineSebe avatar Jun 27 '24 15:06 CelineSebe

Correct me if I'm wrong but this is how it has always worked, no?

The frontend does not subscribe to any change on the "me" data returned by the "me" query. There is no way for the frontend to magically know the user has changed, unless we query again the "me" user - hence refresh page.

labo-flg avatar Jul 02 '24 15:07 labo-flg

@labo-flg Mmm not really If I update a group, in the backend a method called 'groupSessionRefresh' is called. This method calls usreSessionRefresh for all the users of the group. I though this was in order to refresh the users session in case of a group edition but this is not working.

Archidoit avatar Jul 03 '24 07:07 Archidoit