[ResponseOps][Cases] Fix edit cases settings privilege #202053
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
js-jankisalvi
added
bug
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
js-jankisalvi
added
release_note:skip
adcoelho
reviewed
Dec 3, 2024
adcoelho
reviewed
Dec 3, 2024
x-pack/test/functional_with_es_ssl/apps/cases/group1/sub_privileges.ts
Outdated
Show resolved
Hide resolved
adcoelho
reviewed
Dec 3, 2024
adcoelho
reviewed
Dec 3, 2024
adcoelho
reviewed
Dec 3, 2024
There was a problem hiding this comment.
I went over the code and now during testing I was thinking:
Do we even need to check for permissions.settings inside custom_fields/index and templates/index? Those components and the settings page will not be reachabable if the user does not have permissions.settings so I am not sure it makes sense to do the check.
We check permissions.connectors for editing connectors on the page. If we had permissions.custom_fields or permissions.templates then we could also check those, but if this page is already behind a permissions check I don't think we should be making it again.
wdyt?
Outside of that I tested different roles and it seems to be working as expected. I left some small comments.
Good point, we should just rely on settings page for all features inside settings. I will remove the check from custom_fields, templates and verify if something breaks. |
cnasikas
reviewed
Dec 3, 2024
There was a problem hiding this comment.
Similar to what Antonio expressed, because the settings feature privilege governs the whole settings page, what if when you do not have permissions for the settings a) hide the "Settings" button and b) if someone navigates through the URL, we show a non-privileged page?
|
Ok, forget what I said :). I noticed that in |
|
Removed |
2 tasks
adcoelho
approved these changes
Dec 4, 2024
|
Starting backport for target branches: 8.16, 8.17, 8.x |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 4, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 8e8ba53)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 4, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 8e8ba53)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
js-jankisalvi
added a commit
to js-jankisalvi/kibana
that referenced
this pull request
Dec 4, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 8e8ba53) # Conflicts: # x-pack/plugins/cases/common/utils/capabilities.test.tsx # x-pack/plugins/cases/public/components/configure_cases/index.tsx
kibanamachine
added a commit
that referenced
this pull request
Dec 4, 2024
… (#202970) # Backport This will backport the following commits from `main` to `8.17`: - [[ResponseOps][Cases] Fix edit cases settings privilege (#202053)](#202053) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Janki Salvi","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-04T15:55:08Z","message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:ResponseOps","v9.0.0","Feature:Cases","backport:prev-minor","v8.17.0","v8.18.0","v8.16.2"],"title":"[ResponseOps][Cases] Fix edit cases settings privilege","number":202053,"url":"https://github.com/elastic/kibana/pull/202053","mergeCommit":{"message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863"}},"sourceBranch":"main","suggestedTargetBranches":["8.17","8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202053","number":202053,"mergeCommit":{"message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Janki Salvi <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Dec 4, 2024
#202971) # Backport This will backport the following commits from `main` to `8.x`: - [[ResponseOps][Cases] Fix edit cases settings privilege (#202053)](#202053) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Janki Salvi","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-04T15:55:08Z","message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:ResponseOps","v9.0.0","Feature:Cases","backport:prev-minor","v8.17.0","v8.18.0","v8.16.2"],"title":"[ResponseOps][Cases] Fix edit cases settings privilege","number":202053,"url":"https://github.com/elastic/kibana/pull/202053","mergeCommit":{"message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863"}},"sourceBranch":"main","suggestedTargetBranches":["8.17","8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202053","number":202053,"mergeCommit":{"message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Janki Salvi <[email protected]>
js-jankisalvi
added a commit
that referenced
this pull request
Dec 5, 2024
… (#202987) # Backport This will backport the following commits from `main` to `8.16`: - [[ResponseOps][Cases] Fix edit cases settings privilege (#202053)](#202053) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Janki Salvi","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-04T15:55:08Z","message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:ResponseOps","v9.0.0","Feature:Cases","backport:prev-minor","v8.17.0","v8.18.0","v8.16.2"],"number":202053,"url":"https://github.com/elastic/kibana/pull/202053","mergeCommit":{"message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202053","number":202053,"mergeCommit":{"message":"[ResponseOps][Cases] Fix edit cases settings privilege (#202053)\n\n## Summary\r\n\r\nFixes https://github.com/elastic/kibana/issues/197650\r\n\r\nAlso fixes an issue where user has `cases: all ` and `edit case\r\nsettings: false`, user was able to edit settings.\r\n\r\nUsed `permissions.settings` instead of `permissions.update` and\r\n`permissions.create` for custom fields and templates.\r\n\r\n### How to test\r\n- Verify by creating a user with different combinations of cases and\r\nedit case settings privileges\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"8e8ba53116c16cc9b9122de27415cf8519cc1863"}},{"branch":"8.17","label":"v8.17.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/202970","number":202970,"state":"OPEN"},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/202971","number":202971,"state":"OPEN"},{"branch":"8.16","label":"v8.16.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Dec 9, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Dec 9, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 9, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Samiul-TheSoccerFan
pushed a commit
to Samiul-TheSoccerFan/kibana
that referenced
this pull request
Dec 10, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 12, 2024
## Summary Fixes elastic#197650 Also fixes an issue where user has `cases: all ` and `edit case settings: false`, user was able to edit settings. Used `permissions.settings` instead of `permissions.update` and `permissions.create` for custom fields and templates. ### How to test - Verify by creating a user with different combinations of cases and edit case settings privileges ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #197650
Also fixes an issue where user has
cases: allandedit case settings: false, user was able to edit settings.Used
permissions.settingsinstead ofpermissions.updateandpermissions.createfor custom fields and templates.How to test
Checklist