[RBAC] User kicked out when accessing a forbidden resource

[Lhorus6]

Description

I created a user who can only access a TAXII collection in order to share data. I have a Role containing only one capability: Access Data Sharing (and nothing else).

• He can access the TAXII collection, as desired
• But it can also access the interface. This isn't a problem, because he can't see anything.

However, he can click on the “Data > Data sharing” menu.

When he does this, two problems arise:

1. He sees the page for a quarter of a second, and therefore sees the existing Live streams (which shouldn't be possible).
2. It is thrown out of the platform rather than getting a “you are not authorized to access this screen” error message.

Environment

OCTI 6.3.6

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Create a user part of a group with all markings and with a role containing only "Access data sharing"
2. Log on to the platform with this user and try to access the “Data > Data sharing” page.

Expected Output

No “Data > Data sharing” button at all

OR

Have it but:

• No page preview for a quarter of a second
• Get an error message rather than getting thrown out

NB: Even better would be not to be able to log in to the interface ;)

[nino-filigran]

For me the fix is:

• do not log out user
• ability to view the menu data sharing
• ability to access any pages within data sharing WITHOUT the ability to manage any feeds, taxii collection.

Ok with this @romain-filigran ?

[romain-filigran]

Yes @nino-filigran , it makes sense