Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get user detials via API is available to non-admin users #194

Closed
neuralhax opened this issue May 23, 2019 · 0 comments
Closed

Get user detials via API is available to non-admin users #194

neuralhax opened this issue May 23, 2019 · 0 comments
Assignees
Labels
Milestone

Comments

@neuralhax
Copy link

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian
OS version (client) Fedora
Cortex version / git hash 2.1.3
Package Type Docker

Problem Description

The current API documentation says:

"This call returns the user details. It's available to users with superAdmin or orgAdmin roles. Every user can also use it to read their own details." [1]

[1] https://github.com/TheHive-Project/CortexDocs/blob/master/api/api-guide.md#get-details

However, it is possible for users with only Read or Read/Analyze roles to get details of other users within the same organization.

Steps to Reproduce

Pre-conditions:

  • "test" user with "read" role in "test_org" has API key: 5Nt0tW0Z3qm1CKqxIrt7uZDYI/Tyl0RN
  • "test3" user with "read" and "analyze" roles is in the same "test_org" organization

Step 1:

$ curl -H 'Authorization: Bearer 5Nt0tW0Z3qm1CKqxIrt7uZDYI/Tyl0RN' localhost:9001/api/user/test
{"roles":["read"],"organization":"test_org","name":"test user","createdBy":"admin","createdAt":1558450972423,"status":"Ok","updatedBy":"admin","updatedAt":1558455173759,"_type":"user","_routing":"test","_parent":null,"_id":"test","_version":2,"id":"test","hasKey":true,"hasPassword":false}

Step 2:

$ curl -H 'Authorization: Bearer 5Nt0tW0Z3qm1CKqxIrt7uZDYI/Tyl0RN' localhost:9001/api/user/test3
{"createdAt":1558455952687,"organization":"test_org","roles":["read","analyze"],"createdBy":"admin","name":"test","status":"Ok","updatedBy":"admin","updatedAt":1558455977263,"_type":"user","_routing":"test3","_parent":null,"_id":"test3","_version":2,"id":"test3","hasKey":true,"hasPassword":false}

The last command shows that "test" user is able to get details of "test3" user despite he has only "read" role, contrary to what documentation says. The same bug is in The Hive as well. Even though The Hive documentation doesn't explicitly mention it, it's probably a good idea to make it consistent with Cortex API behaviour.

@saadkadhi saadkadhi added the bug label May 30, 2019
@saadkadhi saadkadhi added this to the 3.0.0-RC4 milestone May 30, 2019
@To-om To-om modified the milestones: 3.0.0-RC4, 3.0.0-RC3 Jun 3, 2019
To-om added a commit to TheHive-Project/CortexDocs that referenced this issue Jun 3, 2019
@To-om To-om closed this as completed Jun 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants