Open JeremyCloarec opened 4 months ago
More info on the bug: the bug occurs on all queries using the "regardingOf" filter. The "regardingOf" filter uses the denormalized refs of entities to filter for relations (it checks if rel_relationType exists/targets ids given in regardingOf). But by doing so, it doesn't check for access restrictions on the filtered relations. To fix the "regardingOf" filter, we need a way to also check for access restrictions to the relations
Known technical limitation. We need to talk about this
Reopening since the PR has been revert.
is @JeremyCloarec still on this?
Yes, I will work on a new fix
Placing this bug on pause. Fixing it requires current rework of denormalized relations to be finished.
Description
"Entities view" in knowledge panel doesn't filter out entities with the markings of their relationship. When switching to "Relationships view", markings are properly applied. I found this bug on the malware panel bug the bug should be the same for other entities.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
User B can see both relationship targets in Entities view
Actual Output
User B can only see the TLP:GREEN relationship target in Entities view
Additional information
Bug doesn't occur only on Victimology tab but on other tabs also (tested and reproduced on Threat actors tab, I assume that the bug is there on all tabs)
Relationships view with TLP:GREEN user: Relationships view with TLP:RED user: Entities view with both users: