[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backend] fix user capabilities check for notification (#7109) #7130

Merged
merged 7 commits into from
May 31, 2024
Merged

[backend] fix user capabilities check for notification (#7109) #7130

merged 7 commits into from
May 31, 2024

Conversation

marieflorescontact
Copy link
Member
@marieflorescontact marieflorescontact commented May 27, 2024
edited
Loading

Proposed changes

  • We were checking for SETTINGS_SETACCESSES value in userCapabilities, which is an array of split capabilities (=>[ 'SETTINGS, 'SETACCESSES]

Related issues

Checklist

  • I consider the submitted work as finished
  • I tested the code for its functionality
  • I wrote test cases for the relevant uses case (coverage and e2e)
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

@marieflorescontact marieflorescontact linked an issue May 27, 2024 that may be closed by this pull request
[Notification] Bulk notification manipulation impossible #7109
Closed
@marieflorescontact marieflorescontact self-assigned this May 27, 2024
@marieflorescontact marieflorescontact added the filigran team use to identify PR from the Filigran team label May 27, 2024
@codecov Codecov
Copy link
codecov bot commented May 27, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 62.50000% with 3 lines in your changes are missing coverage. Please review.

Project coverage is 67.60%. Comparing base (a2df434) to head (c033049).
Report is 4 commits behind head on master.

Files Patch % Lines
...pencti-graphql/src/domain/backgroundTask-common.js 33.33% 2 Missing ⚠️
...-platform/opencti-graphql/src/resolvers/opinion.js 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #7130   +/-   ##
=======================================
  Coverage   67.59%   67.60%           
=======================================
  Files         561      561           
  Lines       68760    68761    +1     
  Branches     5840     5841    +1     
=======================================
+ Hits        46477    46483    +6     
+ Misses      22283    22278    -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@marieflorescontact marieflorescontact marked this pull request as ready for review May 27, 2024 12:08
lndrtrbn
lndrtrbn reviewed May 28, 2024
View reviewed changes
Copy link
Member
@lndrtrbn lndrtrbn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not understand the explanation of the issue. Even with the array [SETTINGS, SETACCESSES] it should work as SETACCESSES is a child of SETTINGS so if you have it you also have the parent?

@marieflorescontact
Copy link
Member Author

I do not understand the explanation of the issue. Even with the array [SETTINGS, SETACCESSES] it should work as SETACCESSES is a child of SETTINGS so if you have it you also have the parent?

as userCapabilities is an array of capabilities split on the "_" (line 37), the condition userCapabilities.includes(SETTINGS_SET_ACCESSES) was never true.

@lndrtrbn
Copy link
Member

as userCapabilities is an array of capabilities split on the "_" (line 37), the condition userCapabilities.includes(SETTINGS_SET_ACCESSES) was never true.

Ah, yes ok. Still feels strange we need to add a new constant to resolve the issue. Do we not have a function somewhere that already checks capabilities instead of calling directly userCapabilities.includes?

lndrtrbn
lndrtrbn requested changes May 28, 2024
View reviewed changes
Copy link
Member
@lndrtrbn lndrtrbn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use isUserHasCapability instead?

@marieflorescontact marieflorescontact mentioned this pull request May 30, 2024
Open
@marieflorescontact
Copy link
Member Author
marieflorescontact commented May 30, 2024
edited by labo-flg
Loading

Use isUserHasCapability instead?

the use of isUserHasCapability requires a more global rework on the capa check. i created a technical issue #7184 because while investigating with @labo-flg we found 2 other places where the check was badly done (in notes and opinions). So for now the bug is fixed, the check is done on a string hardcoded, I've put a TODO for the next step.

@labo-flg labo-flg requested a review from lndrtrbn May 30, 2024 11:57
@lndrtrbn
Copy link
Member

Use isUserHasCapability instead?

the use of isUserHasCapability requires a more global rework on the capa check. i created a technical issue #7184 because while investigating with @labo-flg we found 2 other places where the check was badly done (in notes and opinions). So for now the bug is fixed, the check is done on a string hardcoded, I've put a TODO for the next step.

Even if we are not taking care of the global rework in this PR we can still at least use the function correctly for the 2 lines triggering the bug instead of adding hard coded strings no?

@marieflorescontact marieflorescontact merged commit a3b7361 into master May 31, 2024
5 checks passed
@marieflorescontact marieflorescontact deleted the issue/7109 branch May 31, 2024 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lndrtrbn lndrtrbn lndrtrbn approved these changes

@SarahBocognano SarahBocognano SarahBocognano approved these changes

Assignees

@marieflorescontact marieflorescontact

Labels
filigran team use to identify PR from the Filigran team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Notification] Bulk notification manipulation impossible
3 participants
@marieflorescontact @lndrtrbn @SarahBocognano