-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Detections] Disable edit button when user does not have actions privileges w/ rule + actions #80220
[Security Solution] [Detections] Disable edit button when user does not have actions privileges w/ rule + actions #80220
Conversation
Pinging @elastic/siem (Team:SIEM) |
We'll have to account for a the Side question -- did there end up being any API-layer checks preventing users from modifying a rule with actions if they don't have actions privileges? |
Okay I'll make those updates for the all rules table too. As for api-side, the user would see a 403 error on the api if they attempt to edit a rule with an action and don't have privileges. So no, I have not made modifications on the api side to prevent users from editing. I can though if that would make for a better user experience. |
@spong Yeah I am also seeing this behavior. I was thinking that since the enable API route for the alerting framework was a separate call from updating that this would not have been a problem. I tested this situation outside of our code using the alerting _enable API and got the same response.
This is my oversight. I actually had not tested this before we spoke but I assumed it would work since they were separate api's. After looking at the code it makes sense why we would get a 403 back from alerting and why alerting would prevent the enabling of an alert + action for a user that does not have any privileges for actions, otherwise the action would silently fail to execute since that new user's api key would be used to execute the alert + action. I'm assuming I should disable the enable switch for rules and use the same tooltip as the "Edit Rule" button? |
Thanks for all the fixes here @dhurley14! 🙂 In testing the latest I found one last touch point for activate/deactivate and that's with the bulk actions: We've already got a few permissions checks around the bulk actions, so should be fairly straightforward to add something like: const containsActions = selectedRuleIds.some(
(id) => rules.find((r) => r.id === id)?.actions?.length > 0 ?? false
); around here: Lines 43 to 45 in 7f3ec3f
And then disable the |
88e2ba4
to
a754926
Compare
if (rule == null) { | ||
return true; | ||
} | ||
if (rule.actions != null && rule.actions.length > 0 && isBoolean(privileges)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Could simplify with if you want:
if (rule.actions != null && rule.actions.length > 0 && isBoolean(privileges)) { | |
if (rule.actions?.length > 0 > 0 && isBoolean(privileges)) { |
await duplicateRulesAction([rule], [rule.id], noop, dispatchToaster); | ||
}} | ||
> | ||
{i18nActions.DUPLICATE_RULE} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Could move EuiToolTip
to wrap this instead of EuiContextMenuItem
in the event we end up adding a tooltip to the next menu item as well (to prevent the styling issue). This also ensure's all top level components have a key
as well.
const canBulkActivateRulesWithActions = selectedRuleIds.every((id) => { | ||
const found = rules.find((rule) => rule.id === id); | ||
if (found != null) { | ||
if (found.actions.length > 0) { | ||
if (canEditRuleWithActions(found, hasActionsPrivileges)) { | ||
return true; | ||
} else { | ||
return false; | ||
} | ||
} else { | ||
return true; | ||
} | ||
} | ||
return true; | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit difficult to follow -- to determine the value of canBulkActivateRulesWithActions
, we really just need to know if the user hasActionsPrivileges
, and if any of the selected rules have actions, right?
With this logic we're going to loop over every rule even if the first rule has actions and the user doesn't have permissions, even though that's enough to know that we need to disable any bulk_action that requires action privileges.
Still making use of your canEditRuleWithActions()
function, we can invert the check using some()
such that we'll bail early as soon as we find one rule with actions and the user doesn't hasActionsPrivileges
.
const missingActionPrivileges = selectedRuleIds.some((id) => {
return !canEditRuleWithActions(
rules.find((rule) => rule.id === id),
hasActionsPrivileges
);
});
Going further, if the user hasActionsPrivileges
we don't even have to check if any rule has actions, so we can short circuit even earlier! At the expense of readability of course... 😅
const missingActionPrivileges =
!hasActionsPrivileges &&
selectedRuleIds.some((id) => {
return !canEditRuleWithActions(
rules.find((rule) => rule.id === id),
hasActionsPrivileges
);
});
And then you can replace !canBulkActivateRulesWithActions
with missingActionPrivileges
, which reads a bit easier too since it avoids negation (although it adds one back into the calculation, but that can't be avoided since we're inverting our check).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few nits for readability (which is tough with all these permissions checks), but overall LGTM! 👍
Thanks for taking care of all these corner cases too @dhurley14 -- this is going to be really helpful for our users! And as we chatted about (#80601), outside of this bugfix we can probably clean up a lot of this readability logic by having a custom actions component that takes a common set of privileges and determines its disabled
state from that. That'll be a good refactor for a future release 🙂
4a2e6a5
to
f1733c4
Compare
…to be edited, but the user attempting the edit does not have actions privileges
…show capabilities are a boolean even though tye are typed as a boolean | Record
…in overflow button
…s describing why they are disabled
8c769dd
to
c89f412
Compare
💚 Build SucceededMetrics [docs]@kbn/optimizer bundle module count
async chunks size
History
To update your PR or re-run it, just comment with: |
…ot have actions privileges w/ rule + actions (elastic#80220) * disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges * adds tooltip to explain why the edit rule button is disabled * prevent user from editing rules with actions on the all rules table * adds tooltip to appear on all rules table * updates tests for missing params and missing mock of useKibana * disable activate switch on all rules table and rule details page * remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record * disable duplicate rule functionality for rules with actions * fix positioning of tooltips and add tooltip to rule duplicate button in overflow button * update tests * WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled * add eui tool tip as child of of each context menu item * PR feedback and utilize map of rule ids to rules to replace usage of array.finds * update snapshot * fix mocks * fix mocks * update wording with feedback from design team Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
…ot have actions privileges w/ rule + actions (elastic#80220) * disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges * adds tooltip to explain why the edit rule button is disabled * prevent user from editing rules with actions on the all rules table * adds tooltip to appear on all rules table * updates tests for missing params and missing mock of useKibana * disable activate switch on all rules table and rule details page * remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record * disable duplicate rule functionality for rules with actions * fix positioning of tooltips and add tooltip to rule duplicate button in overflow button * update tests * WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled * add eui tool tip as child of of each context menu item * PR feedback and utilize map of rule ids to rules to replace usage of array.finds * update snapshot * fix mocks * fix mocks * update wording with feedback from design team Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
…lout-for-warm-and-cold-tier * 'master' of github.com:elastic/kibana: (126 commits) Add cumulative sum expression function (elastic#80129) [APM] Fix link to trace (elastic#80993) Provide url rewritten in onPreRouting interceptor (elastic#80810) limit renovate to npm packages Fix bug in logs UI link (elastic#80943) [Monitoring] Fix bug with setup mode appearing on pages it shouldn't (elastic#80343) [Security Solution][Detection Engine] Fixes false positives caused by empty records in threat list docs test (elastic#81080) Fixed alerts ui test timeout issue, related to the multiple server calls for delete all alerts, by reducing the number of alerts to the two and increasing retry timeout. (elastic#81067) [APM] Fix service map highlighted edge on node select (elastic#80791) Fix typo in toast, slight copy adjustment. (elastic#80843) [Security Solution] reduce optimizer limits (elastic#80997) [maps] 7.10 documentation updates (elastic#79917) [Workplace Search] Fix Group Prioritization route and clean up design (elastic#80903) [Enterprise Search] Added reusable HiddenText component to Credentials (elastic#80033) Upgrade EUI to v29.5.0 (elastic#80753) [Maps] Fix layer-flash when changing style (elastic#80948) [Security Solution] [Detections] Disable edit button when user does not have actions privileges w/ rule + actions (elastic#80220) [Enterprise Search] Handle loading state on Credentials page (elastic#80035) [Monitoring] Fix cluster listing page in how it handles global state (elastic#78979) ...
…does not have actions privileges w/ rule + actions (#80220) (#81055) * disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges * adds tooltip to explain why the edit rule button is disabled * prevent user from editing rules with actions on the all rules table * adds tooltip to appear on all rules table * updates tests for missing params and missing mock of useKibana * disable activate switch on all rules table and rule details page * remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record * disable duplicate rule functionality for rules with actions * fix positioning of tooltips and add tooltip to rule duplicate button in overflow button * update tests * WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled * add eui tool tip as child of of each context menu item * PR feedback and utilize map of rule ids to rules to replace usage of array.finds * update snapshot * fix mocks * fix mocks * update wording with feedback from design team Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com> Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
… does not have actions privileges w/ rule + actions (#80220) (#81056) * disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges * adds tooltip to explain why the edit rule button is disabled * prevent user from editing rules with actions on the all rules table * adds tooltip to appear on all rules table * updates tests for missing params and missing mock of useKibana * disable activate switch on all rules table and rule details page * remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record * disable duplicate rule functionality for rules with actions * fix positioning of tooltips and add tooltip to rule duplicate button in overflow button * update tests * WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled * add eui tool tip as child of of each context menu item * PR feedback and utilize map of rule ids to rules to replace usage of array.finds * update snapshot * fix mocks * fix mocks * update wording with feedback from design team Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com> Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
When a user with no actions privileges visits the rule details page of a rule with actions, the following capabilities will be disabled on the UI:
Edit Rule Settings button
"Edit Rule Settings" button will be greyed out similarly to when the a user does not have CRUD privileges for SIEM.
and on the all rules table:
Activate switch
Disabling the activate switch on rules with actions on all rules table
Disabling the activate switch on rules with actions on rule details page
Duplicate rule
Disable duplicate ability on all rules table
Disable duplicate ability on rule details page
Bulk actions
Disable the bulk functionality of duplicate, activate, deactivate
Checklist
Delete any items that are not applicable to this PR.
For maintainers