Description
Request Type
Bug
Work Environment
Question | Answer |
---|---|
OS version (server) | Linux 4.19.128-microsoft-standard #1 SMP Tue Jun 23 12:58:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux, WSL on Windows 10 2004 (19041.572) |
OS version (client) | Windows 10 2004 (19041.572) |
TheHive version / git hash | 4.0.1-1-SNAPSHOT, develop-th4 : 57e5379 |
Package Type | From Source |
Problem Description
Creating an user using the web interface after logging in as admin (admin/secret) leads to the user not showing up in the interface.
Using a direct query to listUser will show the user as having "no org"
Update: Creating an user using the v0 or v1 API still cause the user to have "no org" EXCEPT if the organization is "Admin", then it works fine.
Update 2: It seems that the user list api, the organisation list api, and the user create API don't return truthful values.
I created a profile using this request:
POST 'http://localhost:9000/api/v1/user' '{"login":"user@local","name":"b","password":"secret","profile":"org-admin","organisation":"user"}'
And the response was
{"_id":"~45288","_createdBy":"admin@thehive.local","_createdAt":1603593020315,"login":"user@local","name":"b","hasKey":false,"hasPassword":false,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"no org","organisations":[]}
Which both lies about hasPassword and the organisation.
The organisation is actually assigned, as logging in as the user shows the correct organisation in the top right of the screen.
Once logged in as the user, correct values are given.
POST 'http://localhost:9000/api/v1/query' {"query":[{"_name":"listOrganisation"},{"_name":"users"}]}
Properly outputs
[{"_id":"~45288","_createdBy":"admin@thehive.local","_createdAt":1603593020315,"login":"user@local","name":"b","hasKey":false,"hasPassword":true,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"user","organisations":[]}]
Which makes me think that admin users do not have the right to see users in other organizations.
Steps to Reproduce
- install a fresh, from-source version of thehive on branch develop-th4
- Ensure that cassandra is completely clean of any data.
- Login as admin
- create an organisation
- Create an user named "user@local", assign it "org-admin", accept
- Watch as no users show up yet no error appear in either the browser or the server logs
- POST http://localhost:9000/api/v1/query with '{"query":[{"_name":"listUser"}]}'
- Watch as the created user shows up, but without an org
Possible Solutions
This commit seems to be where the string "no org" appeared, I'll attempt to build on the parent commit to see if this is the faulty commit.
Complementary information
"listUser" query with v1 api
[{"_id":"~8400","_createdBy":"admin@thehive.local","_createdAt":1603583470828,"login":"user@local","name":"a","hasKey":false,"hasPassword":false,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"no org","organisations":[]}]