dfir-iris/iris-web

[BUG] Access control in Activities is missing

RoemIko opened this issue · 1 comments

RoemIko commented

Describe the bug
When allowing certain users to a case, other users can see the activity regarding that case. This should not be possible since that user does not have access to the case.

To Reproduce
Steps to reproduce the behavior:

  1. Create a case
  2. Deny all users except one
  3. Create events and ioc's. with the user that can access the case
  4. As a different user check the /activities tab for activities regarding that case

Expected behavior
The user that is denied from the case should not be able to see activity regarding the case.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Docker
  • Browser Chrome
  • Version 122
fordescort commented

I tried to reproduce the issue you're describing but couldn't. Did the other user in your example have server administrator, activities read or activities read all permissions?