#1353 Query: "assignableUsers" of a task

An user is assignable to a task if he has manageTask on it and is in a visible organisation (from current user)
TheHive-Project · May 23, 2020 · 6dc0736 · 6dc0736
1 parent 94c9f07
commit 6dc0736
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 9 deletions.
diff --git a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
@@ -46,7 +46,8 @@ class TaskCtrl @Inject() (
   )
   override val outputQuery: Query = Query.output[RichTask, TaskSteps](_.richTask)
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
-    Query.output[(RichTask, Option[RichCase])]
+    Query.output[(RichTask, Option[RichCase])],
+    Query[TaskSteps, UserSteps]("assignableUsers", (taskSteps, authContext) => taskSteps.assignableUsers(authContext))
   )
 
   def create(caseId: String): Action[AnyContent] =

diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -9,7 +9,7 @@ import org.thp.scalligraph.steps.StepsOps._
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputTask
 import org.thp.thehive.models.{Permissions, RichTask}
-import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv, TaskSteps}
+import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv, TaskSteps, UserSteps}
 import play.api.mvc.{Action, AnyContent, Results}
 
 import scala.util.Success
@@ -40,6 +40,9 @@ class TaskCtrl @Inject() (
     (param, graph, authContext) => taskSrv.get(param.idOrName)(graph).visible(authContext)
   )
   override val outputQuery: Query = Query.output[RichTask, TaskSteps](_.richTask)
+  override val extraQueries: Seq[ParamQuery[_]] = Seq(
+    Query[TaskSteps, UserSteps]("assignableUsers", (taskSteps, authContext) => taskSteps.assignableUsers(authContext))
+  )
 
   def create: Action[AnyContent] =
     entrypoint("create task")

diff --git a/thehive/app/org/thp/thehive/services/OrganisationSrv.scala b/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.services
 
 import gremlin.scala._
-import scala.collection.JavaConverters._
 
+import scala.collection.JavaConverters._
 import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.{BadRequestError, EntitySteps, RichSeq}
-import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
@@ -14,6 +14,7 @@ import org.thp.scalligraph.steps.{Traversal, VertexSteps}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import play.api.libs.json.JsObject
+
 import scala.util.{Failure, Success, Try}
 
 object OrganisationSrv {
@@ -119,7 +120,7 @@ class OrganisationSteps(raw: GremlinScala[Vertex])(implicit db: Database, graph:
 
   def caseTemplates: CaseTemplateSteps = new CaseTemplateSteps(raw.inTo[CaseTemplateOrganisation])
 
-  def users(requiredPermission: String): UserSteps = new UserSteps(
+  def users(requiredPermission: Permission): UserSteps = new UserSteps(
     raw
       .inTo[RoleOrganisation]
       .filter(_.outTo[RoleProfile].has(Key("permissions") of requiredPermission))

diff --git a/thehive/app/org/thp/thehive/services/TaskSrv.scala b/thehive/app/org/thp/thehive/services/TaskSrv.scala
@@ -2,10 +2,6 @@ package org.thp.thehive.services
 
 import java.util.Date
 
-import scala.util.{Failure, Success, Try}
-
-import play.api.libs.json.{JsNull, JsObject, Json}
-
 import gremlin.scala._
 import javax.inject.{Inject, Provider, Singleton}
 import org.thp.scalligraph.EntitySteps
@@ -16,6 +12,9 @@ import org.thp.scalligraph.services._
 import org.thp.scalligraph.steps.StepsOps._
 import org.thp.scalligraph.steps.{Traversal, TraversalLike, VertexSteps}
 import org.thp.thehive.models.{TaskStatus, _}
+import play.api.libs.json.{JsNull, JsObject, Json}
+
+import scala.util.{Failure, Success, Try}
 
 @Singleton
 class TaskSrv @Inject() (caseSrvProvider: Provider[CaseSrv], auditSrv: AuditSrv, logSrv: LogSrv)(implicit db: Database)
@@ -136,6 +135,16 @@ class TaskSteps(raw: GremlinScala[Vertex])(implicit db: Database, graph: Graph)
 
   def user = new UserSteps(raw.outTo[TaskUser])
 
+  def organisations = new OrganisationSteps(raw.inTo[ShareTask].inTo[OrganisationShare])
+  def organisations(permission: Permission) =
+    new OrganisationSteps(raw.inTo[ShareTask].filter(_.outTo[ShareProfile].has(Key("permissions") of permission)).inTo[OrganisationShare])
+
+  def assignableUsers(implicit authContext: AuthContext): UserSteps =
+    organisations(Permissions.manageTask)
+      .visible
+      .users(Permissions.manageTask)
+      .dedup
+
   def richTask: Traversal[RichTask, RichTask] =
     Traversal(
       raw