[backend] do not send restricted entities with distributions

OpenCTI-Platform · Mar 26, 2024 · 9a79388 · 9a79388
1 parent 55ff687
commit 9a79388
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/opencti-platform/opencti-graphql/src/database/middleware.js b/opencti-platform/opencti-graphql/src/database/middleware.js
@@ -450,10 +450,19 @@ export const stixLoadByFilters = async (context, user, types, args) => {
 // region Graphics
 const convertAggregateDistributions = async (context, user, limit, orderingFunction, distribution) => {
   const data = R.take(limit, R.sortWith([orderingFunction(R.prop('value'))])(distribution));
-  const resolveLabels = await elFindByIds(context, user, data.map((d) => d.label), { toMap: true });
-  return data // Depending of user access, info can be empty, must be filtered
-    .filter((n) => isNotEmptyField(resolveLabels[n.label.toLowerCase()]))
-    .map((n) => R.assoc('entity', resolveLabels[n.label.toLowerCase()], n));
+  // resolve all of them, limited to ids for comparison in next step
+  const allResolveLabels = await elFindByIds(context, SYSTEM_USER, data.map((d) => d.label), { toMap: true });
+  const grantedResolveLabels = await elFindByIds(context, user, data.map((d) => d.label), { toMap: true });
+  // entities not granted shall be sent as "restricted" with limited information
+  return data
+    .filter((n) => isNotEmptyField(allResolveLabels[n.label.toLowerCase()]))
+    .map((n) => {
+      if (grantedResolveLabels[n.label.toLowerCase()]) {
+        return R.assoc('entity', grantedResolveLabels[n.label.toLowerCase()], n);
+      }
+      // return R.assoc('entity', { id: n.label, entity_type: n.entity_type, name: 'Restricted' }, n);
+      return n; // no entity details
+    });
 };
 export const timeSeriesHistory = async (context, user, types, args) => {
   const { startDate, endDate, interval } = args;