Merge branch 'hotfix/3.3.1'

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## [3.3.1](https://github.com/TheHive-Project/TheHive/tree/3.3.1) (2019-05-22)
+[Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.3.0...3.3.1)
+
+**Fixed bugs:**
+
+- THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive [\#408](https://github.com/TheHive-Project/TheHive/issues/408)
+
 ## [3.3.0](https://github.com/TheHive-Project/TheHive/tree/3.3.0) (2019-03-19)
 
 [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.3.0-RC6...3.3.0)

thehive-backend/app/controllers/UserCtrl.scala

@@ -52,7 +52,7 @@ class UserCtrl @Inject() (
       else if (request.body.contains("key")) {
         Future.failed(AuthorizationError("You must use dedicated API (renewKey, removeKey) to update key"))
       }
-      else if (request.body.contains("role") && !request.authContext.roles.contains(Roles.admin)) {
+      else if (request.body.contains("roles") && !request.authContext.roles.contains(Roles.admin)) {
         Future.failed(AuthorizationError("You are not permitted to change user role"))
       }
       else if (request.body.contains("status") && !request.authContext.roles.contains(Roles.admin)) {

ui/bower.json

@@ -1,6 +1,6 @@
 {
   "name": "thehive",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "license": "AGPL-3.0",
   "dependencies": {
     "angular": "1.5.8",

ui/package.json

@@ -1,6 +1,6 @@
 {
     "name": "thehive",
-    "version": "3.3.0",
+    "version": "3.3.1",
     "license": "AGPL-3.0",
     "repository": {
         "type": "git",

version.sbt

@@ -1 +1 @@
-version in ThisBuild := "3.3.0-1"
+version in ThisBuild := "3.3.1-1"