[backend] Fix the file change right

[Kedae]

Closes #5435

[codecov]

Codecov Report

Attention: 39 lines in your changes are missing coverage. Please review.

Comparison is base (6ef714f) 66.12% compared to head (dccdd7d) 66.14%.

Files	Patch %	Lines
...l/src/modules/internal/document/document-domain.ts	65.00%	14 Missing ⚠️
...-platform/opencti-graphql/src/http/httpPlatform.js	0.00%	10 Missing ⚠️
...rm/opencti-graphql/src/resolvers/stixCoreObject.js	20.00%	4 Missing ⚠️
...opencti-graphql/src/resolvers/externalReference.js	25.00%	3 Missing ⚠️
...encti-graphql/src/resolvers/stixCyberObservable.js	25.00%	3 Missing ⚠️
...cti-platform/opencti-graphql/src/resolvers/file.js	33.33%	2 Missing ⚠️
...ql/src/modules/internal/document/document-types.ts	0.00%	1 Missing ⚠️
...ncti-graphql/src/resolvers/stixCoreRelationship.js	50.00%	1 Missing ⚠️
.../opencti-graphql/src/resolvers/stixDomainObject.js	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5587      +/-   ##
==========================================
+ Coverage   66.12%   66.14%   +0.01%     
==========================================
  Files         512      512              
  Lines       60398    60400       +2     
  Branches     4401     4406       +5     
==========================================
+ Hits        39936    39949      +13     
+ Misses      20462    20451      -11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[SouadHadjiat]

if it's now singular "path" instead of "paths", maybe we can rename the method too ? paginatedForPathWithEnrichment or paginatedFilesWithEnrichment so it's not dependent on the parameters

[SouadHadjiat]

the third parameter of checkFileAccess is scope and here it's set with entity_id, doesn't seem right, no ?

[Kedae]

Well, it's the scope for the "UserAction" log, so I think it's a good call to have the entity_id to tell "User A tried to access files of this specific entity and cannot". But I'm open to other thoughts

[SouadHadjiat]

scopes should be a limited list of operations I think, but I don't know well the activity logging part. I can see this graph in a user activity analytics which is a distribution based on scope :

It might not help to have ids in scope

[Kedae]

You're completely right, my bad I'll change that :)

[SouadHadjiat]

it's even defined in UserActionListener, all event_scope are typed with specific values

[SouadHadjiat]

There is an issue here : I can see all analyst workbenches in a report (I should see only the report analyst workbenches, none here)
I can't reproduce the issue on testing platform.

[SouadHadjiat]

if the entity_id is not part of the options, it won't be used as a filter to list only files linked to this entity_id

[SouadHadjiat]

Fix analyst workbench list displayed in an entity data tab (should be filtered by entity, it displays all analyst workbenches)

[SouadHadjiat]

I don't really understand why entity_id has been extracted from opts as a separate parameter knowing that FilesOptions type still has entity_id. Why not keep entity_id inside opts and extract in the method ?

[Kedae]

It's a bit of semantic actually. We want to enforce that entity_id is a important prop from this function to get files and not just some stuff you can add in opts.
I understand your concern, we've discussed that with Julien and thougth it would be more explicit that way

[SouadHadjiat]

Tested locally and it seem to work well ✅