[backend] add feature flag (#4538)

OpenCTI-Platform · Sep 16, 2024 · cca100f · cca100f
1 parent 097b72d
commit cca100f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/opencti-platform/opencti-graphql/config/default.json b/opencti-platform/opencti-graphql/config/default.json
@@ -11,7 +11,8 @@
       "NEW_IMPORT_SCREENS",
       "FILIGRAN_LOADER",
       "CONTAINERS_AUTHORIZED_MEMBERS",
-      "TELEMETRY_COUNT_ACTIVE_USERS"
+      "TELEMETRY_COUNT_ACTIVE_USERS",
+      "ORGA_SHARING_ONLY_PLATFORM"
     ],
     "https_cert": {
       "ca": [],

diff --git a/opencti-platform/opencti-graphql/src/database/engine.js b/opencti-platform/opencti-graphql/src/database/engine.js
@@ -42,7 +42,7 @@ import {
   waitInSec,
   WRITE_PLATFORM_INDICES
 } from './utils';
-import conf, { booleanConf, extendedErrors, loadCert, logApp } from '../config/conf';
+import conf, { booleanConf, extendedErrors, isFeatureEnabled, loadCert, logApp } from '../config/conf';
 import { ComplexSearchError, ConfigurationError, DatabaseError, EngineShardsError, FunctionalError, UnsupportedError } from '../config/errors';
 import {
   isStixRefRelationship,
@@ -504,6 +504,27 @@ export const buildDataRestrictions = async (context, user, opts = {}) => {
         // Finally build the bool should search
         must.push({ bool: { should, minimum_should_match: 1 } });
       }
+    } else if (!isFeatureEnabled('ORGA_SHARING_ONLY_PLATFORM')) {
+      // Data with Empty granted_refs are granted to everyone
+      const should = [excludedEntityMatches];
+      should.push({ bool: { must_not: [{ exists: { field: buildRefRelationSearchKey(RELATION_GRANTED_TO) } }] } });
+      // Data with granted_refs users that participate to at least one
+      if (user.allowed_organizations.length > 0) {
+        const shouldOrgs = user.allowed_organizations
+          .map((m) => ({ match: { [buildRefRelationSearchKey(RELATION_GRANTED_TO)]: m.internal_id } }));
+        should.push(...shouldOrgs);
+      }
+      // User individual or data created by this individual must be accessible
+      if (user.individual_id) {
+        should.push({ match: { 'internal_id.keyword': user.individual_id } });
+        should.push({ match: { [buildRefRelationSearchKey(RELATION_CREATED_BY)]: user.individual_id } });
+      }
+      // For tasks
+      should.push({ match: { 'initiator_id.keyword': user.internal_id } });
+      // Access to authorized members
+      should.push(...buildUserMemberAccessFilter(user, { includeAuthorities: opts?.includeAuthorities, excludeEmptyAuthorizedMembers: true }));
+      // Finally build the bool should search
+      must.push({ bool: { should, minimum_should_match: 1 } });
     }
     // endregion
   }