[Bug] Admin user does not have the right to list users of other organisations

[miyoyo]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Linux 4.19.128-microsoft-standard #1 SMP Tue Jun 23 12:58:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux, WSL on Windows 10 2004 (19041.572)
OS version (client)	Windows 10 2004 (19041.572)
TheHive version / git hash	4.0.1-1-SNAPSHOT, develop-th4 : 57e5379
Package Type	From Source

Problem Description

Creating an user using the web interface after logging in as admin (admin/secret) leads to the user not showing up in the interface.

Using a direct query to listUser will show the user as having "no org"

Update: Creating an user using the v0 or v1 API still cause the user to have "no org" EXCEPT if the organization is "Admin", then it works fine.

Update 2: It seems that the user list api, the organisation list api, and the user create API don't return truthful values.

I created a profile using this request:

POST 'http://localhost:9000/api/v1/user' '{"login":"user@local","name":"b","password":"secret","profile":"org-admin","organisation":"user"}'

And the response was

{"_id":"~45288","_createdBy":"admin@thehive.local","_createdAt":1603593020315,"login":"user@local","name":"b","hasKey":false,"hasPassword":false,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"no org","organisations":[]}

Which both lies about hasPassword and the organisation.

The organisation is actually assigned, as logging in as the user shows the correct organisation in the top right of the screen.

Once logged in as the user, correct values are given.

POST 'http://localhost:9000/api/v1/query' {"query":[{"_name":"listOrganisation"},{"_name":"users"}]}

Properly outputs

[{"_id":"~45288","_createdBy":"admin@thehive.local","_createdAt":1603593020315,"login":"user@local","name":"b","hasKey":false,"hasPassword":true,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"user","organisations":[]}]

Which makes me think that admin users do not have the right to see users in other organizations.

Steps to Reproduce

1. install a fresh, from-source version of thehive on branch develop-th4
2. Ensure that cassandra is completely clean of any data.
3. Login as admin
4. create an organisation
5. Create an user named "user@local", assign it "org-admin", accept
6. Watch as no users show up yet no error appear in either the browser or the server logs
7. POST http://localhost:9000/api/v1/query with '{"query":[{"_name":"listUser"}]}'
8. Watch as the created user shows up, but without an org

Possible Solutions

7cc8d5c

This commit seems to be where the string "no org" appeared, I'll attempt to build on the parent commit to see if this is the faulty commit.

Complementary information

"listUser" query with v1 api

[{"_id":"~8400","_createdBy":"admin@thehive.local","_createdAt":1603583470828,"login":"user@local","name":"a","hasKey":false,"hasPassword":false,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"no org","organisations":[]}]

[miyoyo]

Currently working on the bisect, guides me to 0bf95c3 as the first "broken" commit I can build.

I believe the issue introduced in the commit above was only partially fixed by f9354b3, and the user query is still broken today.

This means it is not possible to use a clean install of the latest thehive right now.

[To-om]

The query listUser only lists users who are in the organisation of the current authenticated user (the requester).
An user can only list users of his organisations. The problem occurs because the admin user is only is "admin" organisation. The admin users (users in admin organisation) are a special case (which was not correctly treated).

If you want all users of an org, use {"query":[{"_name":"getOrganisation","idOrName":"orgName"},{"_name":"users"}]}
If you want all users, use {"query":[{"_name":"listOrganisation"},{"_name":"users"}]}