OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.35k stars 935 forks source link

[RBAC] User kicked out when accessing a forbidden resource #8748

Open Lhorus6 opened 1 week ago

Lhorus6 commented 1 week ago

Description

I created a user who can only access a TAXII collection in order to share data. I have a Role containing only one capability: Access Data Sharing (and nothing else).

However, he can click on the “Data > Data sharing” menu.

image

When he does this, two problems arise:

  1. He sees the page for a quarter of a second, and therefore sees the existing Live streams (which shouldn't be possible).
  2. It is thrown out of the platform rather than getting a “you are not authorized to access this screen” error message.

Environment

OCTI 6.3.6

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create a user part of a group with all markings and with a role containing only "Access data sharing"
  2. Log on to the platform with this user and try to access the “Data > Data sharing” page.

Expected Output

No “Data > Data sharing” button at all

OR

Have it but:

NB: Even better would be not to be able to log in to the interface ;)

nino-filigran commented 6 days ago

For me the fix is:

Ok with this @romain-filigran ?

romain-filigran commented 6 days ago

Yes @nino-filigran , it makes sense