PR feedback

x-pack/plugins/cases/common/api/cases/configure.ts

@@ -17,7 +17,6 @@ const ClosureTypeRT = rt.union([rt.literal('close-by-user'), rt.literal('close-b
 const CasesConfigureBasicRt = rt.type({
   connector: CaseConnectorRt,
   closure_type: ClosureTypeRT,
-  // TODO: should a user be able to update the owner?
   owner: rt.string,
 });
 

x-pack/plugins/cases/server/authorization/index.ts

@@ -79,7 +79,7 @@ export const Operations: Record<ReadOperations | WriteOperations, OperationDetai
     name: WriteOperations.UpdateConfiguration,
     action: 'update-configuration',
     verbs: updateVerbs,
-    docType: 'case-configuration',
+    docType: 'case configuration',
     savedObjectType: CASE_CONFIGURE_SAVED_OBJECT,
   },
   [ReadOperations.GetCase]: {

x-pack/plugins/cases/server/routes/api/configure/patch_configure.ts

@@ -14,6 +14,7 @@ import {
   CaseConfigureRequestParamsRt,
   throwErrors,
   CasesConfigurePatch,
+  excess,
 } from '../../../../common/api';
 import { RouteDeps } from '../types';
 import { wrapError, escapeHatch } from '../utils';
@@ -31,7 +32,7 @@ export function initPatchCaseConfigure({ router, logger }: RouteDeps) {
     async (context, request, response) => {
       try {
         const params = pipe(
-          CaseConfigureRequestParamsRt.decode(request.params),
+          excess(CaseConfigureRequestParamsRt).decode(request.params),
           fold(throwErrors(Boom.badRequest), identity)
         );
 

x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/get_case.ts

@@ -155,7 +155,7 @@ export default ({ getService }: FtrProviderContext): void => {
         });
       });
 
-      it('should not get a case', async () => {
+      it('should not get a case when the user does not have access to owner', async () => {
         const newCase = await createCase(
           supertestWithoutAuth,
           getPostCaseRequest({ owner: 'securitySolutionFixture' }),

x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/get_configure.ts

@@ -59,7 +59,6 @@ export default ({ getService }: FtrProviderContext): void => {
       await actionsRemover.removeAll();
     });
 
-    // TODO: Decide what to do with no configuration (no owner)
     it('should return an empty find body correctly if no configuration is loaded', async () => {
       const configuration = await getConfiguration({ supertest });
       expect(configuration).to.eql([]);
@@ -200,7 +199,7 @@ export default ({ getService }: FtrProviderContext): void => {
       ]) {
         it(`User ${scenario.user.username} with role(s) ${scenario.user.roles.join()} and space ${
           scenario.space
-        } - should NOT read a case`, async () => {
+        } - should NOT read a case configuration`, async () => {
           // super user creates a configuration at the appropriate space
           await createConfiguration(supertestWithoutAuth, getConfigurationRequest(), 200, {
             user: superUser,

x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts

@@ -239,6 +239,17 @@ export default ({ getService }: FtrProviderContext): void => {
       );
     });
 
+    it('should not allow excess attributes', async () => {
+      const configuration = await createConfiguration(supertest);
+      await updateConfiguration(
+        supertest,
+        configuration.id,
+        // @ts-expect-error
+        { notExist: 'not-exist', version: configuration.version },
+        400
+      );
+    });
+
     describe('rbac', () => {
       it('User: security solution only - should update a configuration', async () => {
         const configuration = await createConfiguration(