From 7362958105c9e67582d7eafa996902e16387d977 Mon Sep 17 00:00:00 2001
From: David Sanchez Soler <david.sanchezsoler@elastic.co>
Date: Wed, 26 Oct 2022 13:23:04 +0200
Subject: [PATCH] Adds RBAC API checks for host isolation exceptions

---
 .../host_isolation_exceptions_validator.ts    | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/host_isolation_exceptions_validator.ts b/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/host_isolation_exceptions_validator.ts
index 39e86e7104fae..01809c2c28f68 100644
--- a/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/host_isolation_exceptions_validator.ts
+++ b/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/host_isolation_exceptions_validator.ts
@@ -60,9 +60,18 @@ export class HostIsolationExceptionsValidator extends BaseValidator {
     return item.listId === ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID;
   }
 
+  protected async validateHasWritePrivilege(): Promise<void> {
+    return super.validateHasPrivilege('canWriteHostIsolationExceptions');
+  }
+
+  protected async validateHasReadPrivilege(): Promise<void> {
+    return super.validateHasPrivilege('canReadHostIsolationExceptions');
+  }
+
   async validatePreCreateItem(
     item: CreateExceptionListItemOptions
   ): Promise<CreateExceptionListItemOptions> {
+    await this.validateHasWritePrivilege();
     await this.validateCanIsolateHosts();
     await this.validateHostIsolationData(item);
     await this.validateByPolicyItem(item);
@@ -75,6 +84,7 @@ export class HostIsolationExceptionsValidator extends BaseValidator {
   ): Promise<UpdateExceptionListItemOptions> {
     const updatedItem = _updatedItem as ExceptionItemLikeOptions;
 
+    await this.validateHasWritePrivilege();
     await this.validateCanIsolateHosts();
     await this.validateHostIsolationData(updatedItem);
     await this.validateByPolicyItem(updatedItem);
@@ -83,27 +93,27 @@ export class HostIsolationExceptionsValidator extends BaseValidator {
   }
 
   async validatePreGetOneItem(): Promise<void> {
-    await this.validateCanManageEndpointArtifacts();
+    await this.validateHasReadPrivilege();
   }
 
   async validatePreSummary(): Promise<void> {
-    await this.validateCanManageEndpointArtifacts();
+    await this.validateHasReadPrivilege();
   }
 
   async validatePreDeleteItem(): Promise<void> {
-    await this.validateCanManageEndpointArtifacts();
+    await this.validateHasWritePrivilege();
   }
 
   async validatePreExport(): Promise<void> {
-    await this.validateCanManageEndpointArtifacts();
+    await this.validateHasWritePrivilege();
   }
 
   async validatePreSingleListFind(): Promise<void> {
-    await this.validateCanManageEndpointArtifacts();
+    await this.validateHasReadPrivilege();
   }
 
   async validatePreMultiListFind(): Promise<void> {
-    await this.validateCanManageEndpointArtifacts();
+    await this.validateHasReadPrivilege();
   }
 
   async validatePreImport(): Promise<void> {