Hide timeline bar if user does not have security solution crud capability #123775

jamster10 · 2022-01-25T22:45:26Z

Summary

If a user does not have show capability for Security Solution from role permissions, but they do have access to cases (within Security Solution), they should not be able to interact with the bottom bar (Timelines).

As such, the bottom bar is now wrapped in a conditional to perform the check noted above.

A user with Cases but no `show` security solution permissions:

Before:

After:

Checklist

Delete any items that are not applicable to this PR.

Unit or functional tests were updated or added to match the most common scenarios
Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)

elasticmachine · 2022-01-25T22:45:28Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine · 2022-01-25T22:45:29Z

Pinging @elastic/security-solution (Team: SecuritySolution)

jamster10 · 2022-01-25T23:01:45Z

Hey, @paulewing @monina-n, I wasnt sure if a user only has Read permission, if they should be able to see the bottom bar. Currently if they do have read permissions to SecuritySolution, they do see the timeline bottom bar on most pages, as they would if they had full crud capability. I want to make sure this is expected.

My changes prevent a user with no read or write capability from seeing the timeline bar.

…lity

…ssioned

semd · 2022-01-26T11:51:03Z

x-pack/plugins/security_solution/public/app/home/template_wrapper/index.tsx

+        bottomBar={
+          userHasSecuritySolutionVisible ? (
+            <SecuritySolutionBottomBar onAppLeave={onAppLeave} />
+          ) : (


NIT: the bottomBar property is optional, we could also omit the prop or just pass undefined, instead of the empty fragment

semd · 2022-01-26T12:42:21Z

Hey @jamster10, yes I agree we should make a decision about what to do with the timeline if the user only has the READ privilege.
I have been testing the current changes, everything works great when the user doesn't have ANY security solution privilege, but when the user has only the READ privilege I have spotted some problems:

The user is able to open the "Untitled Timeline" and save it, then an error arises in the console and the application enters an inconsistent state, when the application is refreshed we can see the timeline was not saved:

Gravacio.de.pantalla.2022-01-26.a.les.12.57.27.mov

If we are going to allow READ only access to the timeline, maybe we should disable the save button.

The user is able to click the "Investigate in timeline" button in the alerts table, when the timeline opens the same error appears in the console, and the application enters an inconsistent state:

Gravacio.de.pantalla.2022-01-26.a.les.12.58.59.mov

If we are going to allow READ only access to this section this error needs to be fixed, if we are not then maybe we should disable the "Investigate in timeline" button in the alerts table.

@paulewing @monina-n What do you think?

cc @YulNaumenko

…ssioned

kibana-ci · 2022-01-27T19:10:33Z

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	4.6MB	4.6MB	+63.0B

History

💔 Build #19871 failed a38ae58
💚 Build #19572 succeeded 623f108
💔 Build #19563 failed b3f71f79cffaec95a34e373e2c20a8ad19683470

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jamster10

semd

LGTM! 👌
Let's fix the "read-only" problems in another PR.

…lity (elastic#123775) * Hide timeline bar if user does not have security solution crud capability * change visibility to be based on show instead of crud * PR fix Co-authored-by: Kristof-Pierre Cummings <[email protected]>

kibanamachine · 2022-02-01T14:36:19Z