Skip to content

[Bug] Admin user does not have the right to list users of other organisations #1592

Closed
@miyoyo

Description

@miyoyo

Request Type

Bug

Work Environment

Question Answer
OS version (server) Linux 4.19.128-microsoft-standard #1 SMP Tue Jun 23 12:58:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux, WSL on Windows 10 2004 (19041.572)
OS version (client) Windows 10 2004 (19041.572)
TheHive version / git hash 4.0.1-1-SNAPSHOT, develop-th4 : 57e5379
Package Type From Source

Problem Description

Creating an user using the web interface after logging in as admin (admin/secret) leads to the user not showing up in the interface.

Using a direct query to listUser will show the user as having "no org"

Update: Creating an user using the v0 or v1 API still cause the user to have "no org" EXCEPT if the organization is "Admin", then it works fine.

Update 2: It seems that the user list api, the organisation list api, and the user create API don't return truthful values.

I created a profile using this request:

POST 'http://localhost:9000/api/v1/user' '{"login":"user@local","name":"b","password":"secret","profile":"org-admin","organisation":"user"}'

And the response was

{"_id":"~45288","_createdBy":"admin@thehive.local","_createdAt":1603593020315,"login":"user@local","name":"b","hasKey":false,"hasPassword":false,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"no org","organisations":[]}

Which both lies about hasPassword and the organisation.

The organisation is actually assigned, as logging in as the user shows the correct organisation in the top right of the screen.

Once logged in as the user, correct values are given.

POST 'http://localhost:9000/api/v1/query' {"query":[{"_name":"listOrganisation"},{"_name":"users"}]}

Properly outputs

[{"_id":"~45288","_createdBy":"admin@thehive.local","_createdAt":1603593020315,"login":"user@local","name":"b","hasKey":false,"hasPassword":true,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"user","organisations":[]}]

Which makes me think that admin users do not have the right to see users in other organizations.

Steps to Reproduce

  1. install a fresh, from-source version of thehive on branch develop-th4
  2. Ensure that cassandra is completely clean of any data.
  3. Login as admin
  4. create an organisation
  5. Create an user named "user@local", assign it "org-admin", accept
  6. Watch as no users show up yet no error appear in either the browser or the server logs
  7. POST http://localhost:9000/api/v1/query with '{"query":[{"_name":"listUser"}]}'
  8. Watch as the created user shows up, but without an org

Possible Solutions

7cc8d5c

This commit seems to be where the string "no org" appeared, I'll attempt to build on the parent commit to see if this is the faulty commit.

Complementary information

"listUser" query with v1 api

[{"_id":"~8400","_createdBy":"admin@thehive.local","_createdAt":1603583470828,"login":"user@local","name":"a","hasKey":false,"hasPassword":false,"hasMFA":false,"locked":false,"profile":"org-admin","permissions":["manageShare","manageAnalyse","manageTask","manageCaseTemplate","manageCase","manageUser","managePage","manageObservable","manageConfig","manageAlert","manageAction"],"organisation":"no org","organisations":[]}]

Metadata

Metadata

Assignees

Labels

TheHive4TheHive4 related issuesbug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions