MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/app/Controller/UsersController.php

996 lines
35 KiB
PHP
Raw Normal View History

Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
<?php
App::uses('AppController', 'Controller');
/**
* Users Controller
*
* @property User $User
*/
class UsersController extends AppController {
public $newkey;
public $components = array(
'Security',
'Email',
);
public $paginate = array(
'limit' => 60,
'order' => array(
'User.org' => 'ASC'
)
);
public function beforeFilter() {
parent::beforeFilter();
// what pages are allowed for non-logged-in users
$this->Auth->allow('login', 'logout');
}
/**
* view method
*
* @param string $id
* @return void
* @throws NotFoundException
*/
public function view($id = null) {
if ("me" == $id) $id = $this->Auth->user('id');
Security issue fixed with UsersController - users could view other user profiles - users could view other user profiles through edit user
2013-07-15 16:46:44 +02:00
if (!$this->_isSiteAdmin() && $this->Auth->user('id') != $id) {
throw new NotFoundException(__('Invalid user or not authorised.'));
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->User->id = $id;
$this->User->recursive = 0;
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
$this->set('user', $this->User->read(null, $id));
}
/**
* edit method
*
* @param string $id
* @return void
* @throws NotFoundException
*/
public function edit($id = null) {
$me = false;
if ("me" == $id) {
$id = $this->Auth->user('id');
$me = true;
}
$this->User->read(null, $id);
if (!$this->User->exists() && !$me && !$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org') == $this->User->data['User']['org'])) {
throw new NotFoundException(__('Invalid user or not authorised.'));
}
if ($this->request->is('post') || $this->request->is('put')) {
// What fields should be saved (allowed to be saved)
Users weren't able to change the contactalert field
2013-08-20 11:26:24 +02:00
$fieldList = array('email', 'autoalert', 'gpgkey', 'nids_sid', 'contactalert');
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
if ("" != $this->request->data['User']['password'])
$fieldList[] = 'password';
// Save the data
if ($this->User->save($this->request->data, true ,$fieldList)) {
$this->Session->setFlash(__('The profile has been updated'));
$this->_refreshAuth();
$this->redirect(array('action' => 'view', $id));
} else {
$this->Session->setFlash(__('The profile could not be updated. Please, try again.'));
}
} else {
$this->User->recursive = 0;
$this->User->read(null, $id);
Security issue fixed with UsersController - users could view other user profiles - users could view other user profiles through edit user
2013-07-15 16:46:44 +02:00
if (!$this->User->exists() || (!$this->_isSiteAdmin() && $this->Auth->user('org') != $this->User->data['User']['org'])) {
throw new NotFoundException(__('Invalid user or not authorised.'));
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->User->set('password', '');
$this->request->data = $this->User->data;
}
$roles = $this->User->Role->find('list');
$this->set(compact('roles'));
Further work on the UI - reworked almost all of the side menues to be centralised - Some fixes for the IOC export not handling two new-ish types correctly - Some changes to the menues (including a few options that didn't exist before) - rework of the popovers in some forms
2013-10-24 16:41:42 +02:00
$this->set('id', $id);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
public function change_pw() {
$id = $this->Auth->user('id');
$this->User->id = $id;
if ($this->request->is('post') || $this->request->is('put')) {
// What fields should be saved (allowed to be saved)
$fieldList[] = 'password';
// Save the data
if ($this->User->save($this->request->data, true ,$fieldList)) {
$this->Session->setFlash(__('Password Changed.'));
$this->User->saveField('email', $this->Auth->user('email'));
$this->User->saveField('change_pw', 0);
$this->_refreshAuth();
$this->redirect(array('action' => 'view', $id));
} else {
$this->Session->setFlash(__('The password could not be updated. Please, try again.'));
}
} else {
$this->User->recursive = 0;
$this->User->read(null, $id);
$this->User->set('password', '');
$this->request->data = $this->User->data;
}
// XXX ACL roles
$this->extraLog("change_pw");
$roles = $this->User->Role->find('list');
$this->set(compact('roles'));
}
/**
* delete method
*
* @param string $id
* @return void
* @throws MethodNotAllowedException
* @throws NotFoundException
*/
public function delete($id = null) {
if ("me" == $id) $id = $this->Auth->user('id');
if (!$this->request->is('post')) {
throw new MethodNotAllowedException();
}
$this->User->id = $id;
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
//if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true));
//// Only own profile
//if ($this->Auth->user('id') != $id) {
// throw new ForbiddenException('You are not authorized to delete this profile.');
//}
if ($this->User->delete()) {
$this->Session->setFlash(__('User deleted'));
$this->redirect(array('action' => 'index'));
}
$this->Session->setFlash(__('User was not deleted'));
$this->redirect(array('action' => 'index'));
}
/**
* admin_index method
*
* @return void
*/
public function admin_index() {
Index filtering made more generic, added to users
2014-08-20 10:06:43 +02:00
$urlparams = "";
$passedArgsArray = array();
$booleanFields = array('autoalert', 'contactalert', 'termsaccepted');
$textFields = array('role', 'email');
// org admins can't see users of other orgs
if ($this->_isSiteAdmin()) $textFields[] = 'org';
// check each of the passed arguments whether they're a filter (could also be a sort for example) and if yes, add it to the pagination conditions
foreach ($this->passedArgs as $k => $v) {
if (substr($k, 0, 6) === 'search') {
if ($v != "") {
if ($urlparams != "") $urlparams .= "/";
$urlparams .= $k . ":" . $v;
}
$searchTerm = substr($k, 6);
if (in_array($searchTerm, $booleanFields)) {
if ($v != "") $this->paginate['conditions'][] = array('User.' . $searchTerm => $v);
} else if (in_array($searchTerm, $textFields)) {
if ($v != "") {
if ($searchTerm == "role") $searchTerm = "role_id";
$pieces = explode('|', $v);
$test = array();
foreach ($pieces as $piece) {
if ($piece[0] == '!') {
Fix to the capitalisation in the user index filter and fix to the scripts tmp folder not being created on git clone
2014-10-24 14:17:58 +02:00
if ($searchTerm == 'email' || $searchTerm == 'org') $this->paginate['conditions']['AND'][] = array('LOWER(User.' . $searchTerm . ') NOT LIKE' => '%' . strtolower(substr($piece, 1)) . '%');
Further work on the manual, fix to the user filter
2014-10-23 14:09:50 +02:00
else $this->paginate['conditions']['AND'][] = array('User.' . $searchTerm => substr($piece, 1));
Index filtering made more generic, added to users
2014-08-20 10:06:43 +02:00
} else {
Fix to the capitalisation in the user index filter and fix to the scripts tmp folder not being created on git clone
2014-10-24 14:17:58 +02:00
if ($searchTerm == 'email' || $searchTerm == 'org') $test['OR'][] = array('LOWER(User.' . $searchTerm . ') LIKE' => '%' . strtolower($piece) . '%');
Further work on the manual, fix to the user filter
2014-10-23 14:09:50 +02:00
else $test['OR'][] = array('User.' . $searchTerm => $piece);
Index filtering made more generic, added to users
2014-08-20 10:06:43 +02:00
}
}
if (!empty($test)) $this->paginate['conditions']['AND'][] = $test;
}
}
}
$passedArgsArray[$searchTerm] = $v;
}
$this->set('urlparams', $urlparams);
$this->set('passedArgsArray', $passedArgsArray);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->User->recursive = 0;
Performance
2014-08-06 13:40:23 +02:00
$conditions = array();
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
if ($this->_isSiteAdmin()) {
$this->set('users', $this->paginate());
} else {
if (!($this->_isAdmin())) throw new NotFoundException(__('Invalid user or not authorised.'));
$conditions['User.org LIKE'] = $this->Auth->User('org');
$this->paginate = array(
'conditions' => array($conditions),
);
$this->set('users', $this->paginate());
}
}
Index filtering made more generic, added to users
2014-08-20 10:06:43 +02:00
public function admin_filterUserIndex() {
Small permission change
2014-08-20 10:10:31 +02:00
if (!$this->_isAdmin() && !$this->_isSiteAdmin()) throw new MethodNotAllowedException();
Index filtering made more generic, added to users
2014-08-20 10:06:43 +02:00
$passedArgsArray = array();
$booleanFields = array('autoalert', 'contactalert', 'termsaccepted');
$textFields = array('role', 'email');
$showorg = 0;
// org admins can't see users of other orgs
if ($this->_isSiteAdmin()) {
$textFields[] = 'org';
$showorg = 1;
}
$this->set('differentFilters', $booleanFields);
$this->set('simpleFilters', $textFields);
$rules = array_merge($booleanFields, $textFields);
$this->set('showorg', $showorg);
$filtering = array();
foreach ($booleanFields as $b) {
$filtering[$b] = '';
}
foreach ($textFields as $t) {
$filtering[$t] = array('OR' => array(), 'NOT' => array());
}
foreach ($this->passedArgs as $k => $v) {
if (substr($k, 0, 6) === 'search') {
$searchTerm = substr($k, 6);
if (in_array($searchTerm, $booleanFields)) $filtering[$searchTerm] = $v;
else if (in_array($searchTerm, $textFields)) {
$pieces = explode('|', $v);
foreach ($pieces as $piece) {
if ($piece[0] == '!') $filtering[$searchTerm]['NOT'][] = substr($piece,1);
else $filtering[$searchTerm]['OR'][] = $piece;
}
}
$passedArgsArray[$searchTerm] = $v;
}
}
$this->set('filtering', json_encode($filtering));
$roles = $this->User->Role->find('all', array('recursive' => -1));
$roleNames = array();
$roleJSON = array();
foreach ($roles as $k => $v) {
$roleNames[$v['Role']['id']] = $v['Role']['name'];
$roleJSON[] = array('id' => $v['Role']['id'], 'value' => $v['Role']['name']);
}
$this->set('roles', $roleNames);
$this->set('roleJSON', json_encode($roleJSON));
/*
$conditions = array();
if (!$this->_isSiteAdmin()) {
$conditions = array('OR' => array(array('orgc' => $this->Auth->User('org')), array('distribution' > 0)));
}
$events = $this->Event->find('all', array(
'recursive' => -1,
'fields' => array('orgc', 'distribution'),
'conditions' => $conditions,
'group' => 'orgc'
));
if (Configure::read('MISP.showorg') != 'false') {
$orgs = array();
foreach ($events as $e) {
$orgs[] = $e['Event']['orgc'];
}
$orgs = $this->_arrayToValuesIndexArray($orgs);
$this->set('showorg', true);
$this->set('orgs', $orgs);
$rules[] = 'org';
} else {
$this->set('showorg', false);
}
*/
$rules = $this->_arrayToValuesIndexArray($rules);
$this->set('rules', $rules);
$this->set('baseurl', Configure::read('MISP.baseurl'));
$this->layout = 'ajax';
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
/**
* admin_view method
*
* @param string $id
* @return void
* @throws NotFoundException
*/
public function admin_view($id = null) {
$this->User->id = $id;
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
$this->set('user', $this->User->read(null, $id));
Typo in UsersController fixed
2013-06-11 10:37:56 +02:00
if (!$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org') == $this->User->data['User']['org'])) throw new MethodNotAllowedException();
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$temp = $this->User->field('invited_by');
Further work on the UI - reworked almost all of the side menues to be centralised - Some fixes for the IOC export not handling two new-ish types correctly - Some changes to the menues (including a few options that didn't exist before) - rework of the popovers in some forms
2013-10-24 16:41:42 +02:00
$this->set('id', $id);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->set('user2', $this->User->read(null, $temp));
}
/**
* admin_add method
*
* @return void
*/
public function admin_add() {
if (!$this->_isAdmin()) throw new Exception('Administrators only.');
$this->set('currentOrg', $this->Auth->User('org'));
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
$this->set('isSiteAdmin', $this->_isSiteAdmin());
$params = null;
if (!$this->_isSiteAdmin()) {
$params = array('conditions' => array('perm_site_admin !=' => 1, 'perm_sync !=' => 1, 'perm_regexp_access !=' => 1));
}
$roles = $this->User->Role->find('list', $params);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
if ($this->request->is('post')) {
$this->User->create();
// set invited by
$this->request->data['User']['invited_by'] = $this->Auth->user('id');
$this->request->data['User']['change_pw'] = 1;
$this->request->data['User']['newsread'] = '2000-01-01';
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
if (!$this->_isSiteAdmin()) {
$this->request->data['User']['org'] = $this->Auth->User('org');
$this->loadModel('Role');
$this->Role->recursive = -1;
$chosenRole = $this->Role->findById($this->request->data['User']['role_id']);
if ($chosenRole['Role']['perm_site_admin'] == 1 || $chosenRole['Role']['perm_regexp_access'] == 1 || $chosenRole['Role']['perm_sync'] == 1) {
throw new Exception('You are not authorised to assign that role to a user.');
}
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
if ($this->User->save($this->request->data)) {
$this->Session->setFlash(__('The user has been saved'));
$this->redirect(array('action' => 'index'));
} else {
// reset auth key for a new user
$this->set('authkey', $this->newkey);
$this->Session->setFlash(__('The user could not be saved. Please, try again.'));
}
} else {
// generate auth key for a new user
$this->newkey = $this->User->generateAuthKey();
$this->set('authkey', $this->newkey);
}
$this->set(compact('roles'));
}
/**
* admin_edit method
*
* @param string $id
* @return void
* @throws NotFoundException
*/
public function admin_edit($id = null) {
//debug($fields);debug(tru);
$this->set('currentOrg', $this->Auth->User('org'));
$this->User->id = $id;
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
$params = null;
if (!$this->_isSiteAdmin()) {
$params = array('conditions' => array('perm_site_admin !=' => 1, 'perm_sync !=' => 1, 'perm_regexp_access !=' => 1));
}
$roles = $this->User->Role->find('list', $params);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->set('currentId', $id);
if ($this->request->is('post') || $this->request->is('put')) {
$fields = array();
foreach (array_keys($this->request->data['User']) as $field) {
if($field != 'password') array_push($fields, $field);
}
// TODO Audit, extraLog, fields get orig
$fieldsOldValues = array();
foreach ($fields as $field) {
if($field != 'confirm_password') array_push($fieldsOldValues, $this->User->field($field));
else array_push($fieldsOldValues, $this->User->field('password'));
}
// TODO Audit, extraLog, fields get orig END
if ("" != $this->request->data['User']['password'])
$fields[] = 'password';
$fields[] = 'role_id';
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
if (!$this->_isSiteAdmin()) {
$this->loadModel('Role');
$this->Role->recursive = -1;
$chosenRole = $this->Role->findById($this->request->data['User']['role_id']);
if ($chosenRole['Role']['perm_site_admin'] == 1 || $chosenRole['Role']['perm_regexp_access'] == 1 || $chosenRole['Role']['perm_sync'] == 1) {
throw new Exception('You are not authorised to assign that role to a user.');
}
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
if ($this->User->save($this->request->data, true, $fields)) {
// TODO Audit, extraLog, fields compare
// newValues to array
$fieldsNewValues = array();
foreach ($fields as $field) {
if ($field != 'confirm_password') {
$newValue = $this->data['User'][$field];
if (gettype($newValue) == 'array') {
$newValueStr = '';
$cP = 0;
foreach ($newValue as $newValuePart) {
if ($cP < 2) $newValueStr .= '-' . $newValuePart;
else $newValueStr = $newValuePart . $newValueStr;
$cP++;
}
array_push($fieldsNewValues, $newValueStr);
}
else array_push($fieldsNewValues, $newValue);
}
else array_push($fieldsNewValues, $this->data['User']['password']);
}
// compare
$fieldsResultStr = '';
$c = 0;
foreach ($fields as $field) {
if (isset($fieldsOldValues[$c]) && $fieldsOldValues[$c] != $fieldsNewValues[$c]) {
if($field != 'confirm_password') $fieldsResultStr = $fieldsResultStr . ', ' . $field . ' (' . $fieldsOldValues[$c] . ') => (' . $fieldsNewValues[$c] . ')';
}
$c++;
}
$fieldsResultStr = substr($fieldsResultStr, 2);
$this->extraLog("edit", "user", $fieldsResultStr); // TODO Audit, check: modify User
// TODO Audit, extraLog, fields compare END
$this->Session->setFlash(__('The user has been saved'));
$this->_refreshAuth(); // in case we modify ourselves
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The user could not be saved. Please, try again.'));
}
} else {
$this->User->recursive = 0;
$this->User->read(null, $id);
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
if (!$this->_isSiteAdmin() && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true));
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->User->set('password', '');
$this->request->data = $this->User->data; // TODO CHECK
}
Small changes after merging the two feature branches - Update to the representation of the new permission flags - some small issues with the merge resolved
2013-10-25 11:31:35 +02:00
$this->set('id', $id);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->set(compact('roles'));
}
/**
* admin_delete method
*
* @param string $id
* @return void
* @throws MethodNotAllowedException
* @throws NotFoundException
*/
public function admin_delete($id = null) {
if (!$this->request->is('post')) {
throw new MethodNotAllowedException();
}
if (!$this->_isAdmin()) throw new Exception('Administrators only.');
$this->User->id = $id;
$user = $this->User->read('email', $id);
$fieldsDescrStr = 'User (' . $id . '): ' . $user['User']['email'];
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
if ($this->User->delete()) {
$this->extraLog("delete", $fieldsDescrStr, ''); // TODO Audit, check: modify User
$this->Session->setFlash(__('User deleted'));
$this->redirect(array('action' => 'index'));
}
$this->Session->setFlash(__('User was not deleted'));
$this->redirect(array('action' => 'index'));
}
public function login() {
if ($this->Auth->login()) {
$this->extraLog("login"); // TODO Audit, extraLog, check: customLog i.s.o. extraLog, no auth user?: $this->User->customLog('login', $this->Auth->user('id'), array('title' => '','user_id' => $this->Auth->user('id'),'email' => $this->Auth->user('email'),'org' => 'IN2'));
Some bugs fixed - Resetting the auth key for a user that doesn't exist created an empty user - change_pw showed an admin menu on the side - rerouting after an incorrect auth request fixed (users/index doesn't exist) - temporarily disabled the redirect after login
2013-07-18 11:32:26 +02:00
// TODO removed the auto redirect for now, due to security concerns - will look more into this
// $this->redirect($this->Auth->redirectUrl());
$this->redirect(array('controller' => 'events', 'action' => 'index'));
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
} else {
// don't display authError before first login attempt
if (str_replace("//","/",$this->webroot . $this->Session->read('Auth.redirect')) == $this->webroot && $this->Session->read('Message.auth.message') == $this->Auth->authError) {
$this->Session->delete('Message.auth');
}
// don't display "invalid user" before first login attempt
create default admin user automatically
2013-06-04 13:06:57 +02:00
if($this->request->is('post')) {
$this->Session->setFlash(__('Invalid username or password, try again'));
}
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
// populate the DB with the first role (site admin) if it's empty
$this->loadModel('Role');
if ($this->Role->find('count') == 0 ) {
$siteAdmin = array('Role' => array(
'id' => 1,
'name' => 'Site Admin',
'perm_add' => 1,
'perm_modify' => 1,
'perm_modify_org' => 1,
'perm_publish' => 1,
'perm_sync' => 1,
'perm_admin' => 1,
'perm_audit' => 1,
'perm_auth' => 1,
'perm_site_admin' => 1,
'perm_regexp_access' => 1,
Small fixes
2014-02-06 09:59:41 +01:00
'perm_tagger' => 1,
'perm_site_admin' => 1
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
));
$this->Role->save($siteAdmin);
}
create default admin user automatically
2013-06-04 13:06:57 +02:00
// populate the DB with the first user if it's empty
if ($this->User->find('count') == 0 ) {
$admin = array('User' => array(
First rework of the siteadmin role - ADMIN org removed. - Siteadmins are now identified by the perm_site_admin flag - Siteadmins can now be of any organisation - editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role - Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin - If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created) - Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
'id' => 1,
'email' => 'admin@admin.test',
'org' => 'ADMIN',
'password' => 'admin',
'confirm_password' => 'admin',
'authkey' => $this->User->generateAuthKey(),
'nids_sid' => 4000000,
'newsread' => date('Y-m-d'),
'role_id' => 1,
'change_pw' => 1
));
create default admin user automatically
2013-06-04 13:06:57 +02:00
$this->User->validator()->remove('password'); // password is to simple, remove validation
$this->User->save($admin);
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
}
public function routeafterlogin() {
// Terms and Conditions Page
if (!$this->Auth->user('termsaccepted')) {
$this->redirect(array('action' => 'terms'));
}
// News page
$newNewsdate = new DateTime("2012-03-27"); // TODO general, fixed odd date??
$newsdate = new DateTime($this->Auth->user('newsread'));
if ($newNewsdate > $newsdate) {
$this->redirect(array('action' => 'news'));
}
// Events list
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
public function logout() {
if ($this->Session->check('Auth.User')) { // TODO session, user is logged in, so ..
$this->extraLog("logout"); // TODO Audit, extraLog, check: customLog i.s.o. extraLog, $this->User->customLog('logout', $this->Auth->user('id'), array());
}
$this->Session->setFlash(__('Good-Bye'));
$this->redirect($this->Auth->logout());
}
Most of the export caching done - also a fair bit of refactoring of the code, fatter models, thinner controllers, component moved to Lib
2013-11-15 15:39:34 +01:00
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
public function resetauthkey($id = null) {
if (!$id) {
$this->Session->setFlash(__('Invalid id for user', true), 'default', array(), 'error');
Some bugs fixed - Resetting the auth key for a user that doesn't exist created an empty user - change_pw showed an admin menu on the side - rerouting after an incorrect auth request fixed (users/index doesn't exist) - temporarily disabled the redirect after login
2013-07-18 11:32:26 +02:00
$this->redirect(array('action' => 'view', $this->Auth->user('id')));
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
// reset the key
$this->User->id = $id;
Some bugs fixed - Resetting the auth key for a user that doesn't exist created an empty user - change_pw showed an admin menu on the side - rerouting after an incorrect auth request fixed (users/index doesn't exist) - temporarily disabled the redirect after login
2013-07-18 11:32:26 +02:00
if (!$this->User->exists($id)) {
$this->Session->setFlash(__('Invalid id for user', true), 'default', array(), 'error');
$this->redirect(array('action' => 'view', $this->Auth->user('id')));
}
Security issue fixed with UsersController - users could view other user profiles - users could view other user profiles through edit user
2013-07-15 16:46:44 +02:00
$this->User->read();
if ('me' == $id ) $id = $this->Auth->user('id');
Most of the export caching done - also a fair bit of refactoring of the code, fatter models, thinner controllers, component moved to Lib
2013-11-15 15:39:34 +01:00
else if (!$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org') == $this->User->data['User']['org']) && ($this->Auth->user('id') != $id)) throw new MethodNotAllowedException();
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$newkey = $this->User->generateAuthKey();
$this->User->saveField('authkey', $newkey);
$this->Session->setFlash(__('New authkey generated.', true));
$this->_refreshAuth();
$this->redirect($this->referer());
}
public function memberslist() {
// Orglist
$fields = array('User.org', 'count(User.id) as `num_members`');
$params = array('recursive' => 0,
'fields' => $fields,
'group' => array('User.org'),
:q
2013-11-06 10:52:18 +01:00
'order' => array('UPPER(User.org)'),
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
);
$orgs = $this->User->find('all', $params);
$this->set('orgs', $orgs);
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
}
public function histogram($selected = null) {
if (!$this->request->is('ajax')) throw new MethodNotAllowedException('This function can only be accessed via AJAX.');
if ($selected == '[]') $selected = null;
$selectedTypes = array();
if ($selected) $selectedTypes = json_decode($selected);
$temp = $this->User->Event->find('all', array(
'recursive' => -1,
'fields' => array('distinct(orgc)'),
));
$orgs = array();
foreach ($temp as $t) {
$orgs[] = $t['Event']['orgc'];
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
// What org posted what type of attribute
$this->loadModel('Attribute');
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
$conditions = array();
if ($selected) $conditions[] = array('Attribute.type' => $selectedTypes);
memberslist based on orgc, is more logic to reflect the contributions
2013-07-18 11:14:11 +02:00
$fields = array('Event.orgc', 'Attribute.type', 'count(Attribute.type) as `num_types`');
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$params = array('recursive' => 0,
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
'fields' => $fields,
'group' => array('Attribute.type', 'Event.orgc'),
'order' => array('Event.orgc', 'num_types DESC'),
'conditions' => $conditions,
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
);
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
$temp = $this->Attribute->find('all', $params);
$data = array();
foreach ($orgs as $k => $org) {
$data[$org]['total'] = 0;
$data[$org]['data'] = array();
foreach ($temp as $t) {
if ($t['Event']['orgc'] == $org) {
$data[$org]['data'][$t['Attribute']['type']] = $t[0]['num_types'];
}
}
}
$max = 1;
foreach ($data as &$d) {
foreach ($d['data'] as $t) {
$d['total'] += $t;
}
if ($d['total'] > $max) $max = $d['total'];
}
$this->set('data', $data);
$this->set('max', $max);
$this->set('selectedTypes', $selectedTypes);
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
// Nice graphical histogram
$this->loadModel('Attribute');
$sigTypes = array_keys($this->Attribute->typeDefinitions);
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
App::uses('ColourPaletteTool', 'Tools');
$paletteTool = new ColourPaletteTool();
$colours = $paletteTool->createColourPalette(count($sigTypes));
$typeDb = array();
foreach($sigTypes as $k => $type) {
$typeDb[$type] = $colours[$k];
}
$this->set('typeDb', $typeDb);
$this->set('sigTypes', $sigTypes);
$graphInterval = $this->_getIntervals($max);
$this->layout = 'ajax';
}
private function _getIntervals($max) {
$intervals = array();
if ($max > 5) {
$maxDecimals = strlen((string) $max);
//$graphInterval = $max / 10;
$graphInterval = round($max, -($maxDecimals-2), PHP_ROUND_HALF_DOWN);
$graphInterval = round($graphInterval / 5);
for ($i=0; $i<$max; $i+=$graphInterval) {
$intervals[] = $i;
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
} else {
for ($i=0; $i<$max; $i++) $intervals[] = $i;
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
Ajaxification of the event page done also, replaced histogram in memberslist - AJAX requests now also respond with a small message at the bottom of the page, notifying the user of the result - The following actions work now on the event page via ajax: 1. Add / remove tags 2. quick edit any attribute field if eligible 3. quickly create a proposal of any attribute field if not eligible to edit 4. popover attribute creation (also works with batch add) 5. popover proposal creation (also works with batch add) 6. delete attributes 7. accept/discard proposals 8. mass edit / delete attributes Also, replaced the old memberslist, with a small lightweight css/js based one.
2014-05-02 14:29:15 +02:00
return $intervals;
}
private function _generateColours($count){
$pallette = 16777216;
$array = array();
$interval = ceil($pallette / $count);
$colours = array();
for ($i = 0; $i < $count; $i++) {
$temp = $i * $interval;
$array[$i] = $temp;
$colours[$i] = $this->_convertToHex($temp);
}
return $colours;
}
private function _convertToHex($int) {
$hex = strval(dechex($int));
$filler = '';
for ($i = 0; $i < 6 - (strlen($hex)); $i++) $filler .= '0';
$filler = '#' . $filler . $hex;
return $filler;
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
public function terms() {
if ($this->request->is('post') || $this->request->is('put')) {
$this->User->id = $this->Auth->user('id');
$this->User->saveField('termsaccepted', true);
$this->_refreshAuth(); // refresh auth info
$this->Session->setFlash(__('You accepted the Terms and Conditions.'));
$this->redirect(array('action' => 'routeafterlogin'));
}
$this->set('termsaccepted', $this->Auth->user('termsaccepted'));
}
Update to the terms and conditions - use terms file as before if nothing else specified - specify a file in the app/files/terms directory via the server settings tool - specify whether to show it inline or create a download link for users instead - by default everything is the same as before, except that the MISP installation path is no longer exposed by a non-existing terms file
2014-10-28 15:11:40 +01:00
public function downloadTerms() {
if (!Configure::read('MISP.terms_file')) {
$termsFile = APP ."View/Users/terms";
} else {
$termsFile = APP . 'files' . DS . 'terms' . DS . Configure::read('MISP.terms_file');
}
$this->response->file($termsFile, array('download' => true, 'name' => Configure::read('MISP.terms_file')));
return $this->response;
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
public function news() {
$this->User->id = $this->Auth->user('id');
$this->User->saveField('newsread', date("Y-m-d"));
$this->_refreshAuth(); // refresh auth info
}
public function extraLog($action = null, $description = null, $fieldsResult = null) { // TODO move audit to AuditsController?
// new data
$userId = $this->Auth->user('id');
$model = 'User';
$modelId = $this->Auth->user('id');
if ($action == 'login') {
$description = "User (" . $this->Auth->user('id') . "): " . $this->data['User']['email'];
} elseif ($action == 'logout') {
$description = "User (" . $this->Auth->user('id') . "): " . $this->Auth->user('email');
} elseif ($action == 'edit') {
$description = "User (" . $this->User->id . "): " . $this->data['User']['email'];
} elseif ($action == 'change_pw') {
$description = "User (" . $this->User->id . "): " . $this->data['User']['email'];
$fieldsResult = "Password changed.";
}
// query
$this->Log = ClassRegistry::init('Log');
$this->Log->create();
$this->Log->save(array(
'org' => $this->Auth->user('org'),
'email' => $this->Auth->user('email'),
'action' => $action,
'title' => $description,
'change' => $fieldsResult));
// write to syslogd as well
App::import('Lib', 'SysLog.SysLog');
$syslog = new SysLog();
if ($fieldsResult) $syslog->write('notice', $description . ' -- ' . $action . ' -- ' . $fieldsResult);
else $syslog->write('notice', $description . ' -- ' . $action);
}
/**
* Used for fields_before and fields for audit
*
* @param $array
*/
public function arrayCopy(array $array) {
$result = array();
foreach ($array as $key => $val) {
if (is_array( $val)) {
$result[$key] = arrayCopy($val);
} elseif (is_object($val)) {
$result[$key] = clone $val;
} else {
$result[$key] = $val;
}
}
return $result;
}
/**
* @throws NotFoundException
**/
public function checkAndCorrectPgps() {
if (!self::_isAdmin()) throw new NotFoundException();
$this->set('fails', $this->User->checkAndCorrectPgps());
}
public function admin_email() {
if (!$this->_isSiteAdmin()) {
throw new MethodNotAllowedException();
}
$this->User->recursive = 0;
Admin contact user menu moved next to new/list user buttons, recipient e-mails are now sorted alphabetically
2014-12-05 15:15:28 +01:00
$temp = $this->User->find('all', array('fields' => array('email', 'gpgkey'), 'order' => array('email ASC')));
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$emails = array();
$gpgKeys = array();
// save all the emails of the users and set it for the dropdown list in the form
foreach ($temp as $user) {
array_push($emails, $user['User']['email']);
array_push($gpgKeys, $user['User']['gpgkey']);
}
$this->set('recipientEmail', $emails);
// User has filled in his contact form, send out the email.
if ($this->request->is('post') || $this->request->is('put')) {
$message1 = null;
$message2 = null;
$recipients = array();
$messageP = array();
// Formulating the message and the subject that will be common to the e-mail(s) sent
if ($this->request->data['User']['action'] == '0') {
// Custom message
$subject = $this->request->data['User']['subject'];
$message1 .= $this->request->data['User']['message'];
} else {
// Temp password
if ($this->request->data['User']['customMessage']) {
$message1 .= $this->request->data['User']['message'];
} else {
$message1 .= "Dear MISP user,\n\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at ";
Mass replace replace of the old CyDefSig name to MISP - fixes #82
2014-02-05 15:01:26 +01:00
$message1 .= Configure::read('MISP.baseurl');
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$message1 .= ", where you will be prompted to manually change your password to something of your own choice.";
}
//$message .= "\n\nYour temporary password: " . $password;
Mass replace replace of the old CyDefSig name to MISP - fixes #82
2014-02-05 15:01:26 +01:00
$subject = 'Password reset on ' . Configure::read('MISP.org') . ' MISP';
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
Mass replace replace of the old CyDefSig name to MISP - fixes #82
2014-02-05 15:01:26 +01:00
if (Configure::read('MISP.contact')) {
$message2 .= "\n\nIf you have any questions, contact us at: " . Configure::read('MISP.contact') . ".";
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}
Mass replace replace of the old CyDefSig name to MISP - fixes #82
2014-02-05 15:01:26 +01:00
$message2 .= "\n\nBest Regards,\n" . Configure::read('MISP.org') . ' MISP support';
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
Fixed an issue with siteadmin contact e-mails resetting passwords of non existing users - a site admin could issue a password reset to a non-existing user
2013-07-25 14:45:34 +02:00
// Return an error message if the action is a password reset for a new user
Removed password creation for new users through the contact users menu
2013-07-25 17:23:52 +02:00
Fixed an issue with siteadmin contact e-mails resetting passwords of non existing users - a site admin could issue a password reset to a non-existing user
2013-07-25 14:45:34 +02:00
if ($this->request->data['User']['recipient'] == 2 && $this->request->data['User']['action'] == '1') {
$this->Session->setFlash(__('Cannot reset the password of a user that doesn\'t exist.'));
$this->redirect(array('action' => 'email', 'admin' => true));
}
Removed password creation for new users through the contact users menu
2013-07-25 17:23:52 +02:00
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
// Setting up the list of recipient(s) based on the setting and creating the final message for each user, including the password
// If the recipient is all users, and the action to create a password, create it and for each user and squeeze it between the main message and the signature
if ($this->request->data['User']['recipient'] == 0) {
$recipients = $emails;
$recipientGPG = $gpgKeys;
if ($this->request->data['User']['action'] == '1') {
$i = 0;
foreach ($recipients as $rec) {
fixes bug in previous commit.
2013-07-11 14:28:12 +02:00
$password = $this->User->generateRandomPassword();
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$messageP = "\n\nYour temporary password: " . $password;
$message[$i] = $message1 . $messageP . $message2;
$recipientPass[$i] = $password;
$i++;
}
} else {
$i = 0;
foreach ($recipients as $rec) {
$message[$i] = $message1;
$i++;
}
}
}
// If the recipient is a user, and the action to create a password, create it and squeeze it between the main message and the signature
if ($this->request->data['User']['recipient'] == 1) {
$recipients[0] = $emails[$this->request->data['User']['recipientEmailList']];
$recipientGPG[0] = $gpgKeys[$this->request->data['User']['recipientEmailList']];
if ($this->request->data['User']['action'] == '1') {
improved password generation algorithm in reset password
2013-07-11 14:26:28 +02:00
$password = $this->User->generateRandomPassword();
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$message[0] = $message1 . "\n\nYour temporary password: " . $password . $message2;
$recipientPass[0] = $password;
} else {
$message[0] = $message1;
}
}
require_once 'Crypt/GPG.php';
$i = 0;
Logging of admin emails and auth refresh - admin emails now generate log entries - authentication is refreshed on activity
2014-12-12 10:42:12 +01:00
$this->Log = ClassRegistry::init('Log');
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
foreach ($recipients as $recipient) {
if (!empty($recipientGPG[$i])) {
Fixed various things - logging of event publishing enabled for background jobs - disabled a gpg debug mode that was enabled by accident - better feedback for publishing
2014-02-10 00:29:46 +01:00
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'))); // , 'debug' => true
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
$messageSigned = $gpg->sign($message[$i], Crypt_GPG::SIGN_MODE_CLEAR);
$keyImportOutput = $gpg->importKey($recipientGPG[$i]);
try {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir')));
$gpg->addEncryptKey($keyImportOutput['fingerprint']); // use the key that was given in the import
$encryptedMessage = $gpg->encrypt($messageSigned, true);
} catch (Exception $e){
// catch errors like expired PGP keys
$this->log($e->getMessage());
// no need to return here, as we want to send out mails to the other users if GPG encryption fails for a single user
}
} else {
$encryptedMessage = $message[$i];
}
// prepare the email
Mass replace replace of the old CyDefSig name to MISP - fixes #82
2014-02-05 15:01:26 +01:00
$this->Email->from = Configure::read('MISP.email');
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
$this->Email->to = $recipients[$i];
$this->Email->subject = $subject;
//$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen
$this->Email->template = 'body';
$this->Email->sendAs = 'text'; // both text or html
$this->set('body', $encryptedMessage);
// send it
$result = $this->Email->send();
Logging of admin emails and auth refresh - admin emails now generate log entries - authentication is refreshed on activity
2014-12-12 10:42:12 +01:00
$this->Log->create();
if ($result) {
$this->Log->save(array(
'org' => $this->Auth->user('org'),
'model' => 'User',
'model_id' => $this->Auth->user('id'),
'email' => $this->Auth->user('email'),
'action' => 'admin_email',
'title' => 'Admin email to ' . $recipients[$i] . ' sent, titled "' . $subject . '".',
'change' => null,
));
} else {
$this->Log->save(array(
'org' => $this->Auth->user('org'),
'model' => 'User',
'model_id' => $this->Auth->user('id'),
'email' => $this->Auth->user('email'),
'action' => 'admin_email',
'title' => 'Admin email to ' . $recipients[$i] . ' failed.',
'change' => null,
));
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
// if sending successful and action was a password change, update the user's password.
if ($result && $this->request->data['User']['action'] == '1') {
$this->User->recursive = 0;
$temp = $this->User->findByEmail($recipients[$i]);
$this->User->id = $temp['User']['id'];
$this->User->read();
$this->User->saveField('password', $recipientPass[$i]);
$this->User->saveField('change_pw', '1');
}
// If you wish to send multiple emails using a loop, you'll need
// to reset the email fields using the reset method of the Email component.
$this->Email->reset();
$i++;
}
$this->Session->setFlash(__('E-mails sent.'));
}
// User didn't see the contact form yet. Present it to him.
}
First version of the new statistics page - shows a heatmap of user activity based on the logs - can show it for all users or for users of a specific org
2014-01-09 10:04:53 +01:00
// shows some statistics about the instance
public function statistics() {
Some minor changes - Statistics page has gotten a lot of extra information - Removed some old junk files - Made the size of the graph in the memberslist larger to fit all the new attribute types
2014-01-09 17:13:07 +01:00
// set all of the data up for the heatmaps
$orgs = $this->User->find('all', array('fields' => array('DISTINCT (org) AS org'), 'recursive' => -1));
First version of the new statistics page - shows a heatmap of user activity based on the logs - can show it for all users or for users of a specific org
2014-01-09 10:04:53 +01:00
$this->loadModel('Log');
$year = date('Y');
$month = date('n');
$day = date('j');
$month = $month - 5;
if ($month < 1) {
$year--;
$month = 12 + $month;
}
Some minor changes - Statistics page has gotten a lot of extra information - Removed some old junk files - Made the size of the graph in the memberslist larger to fit all the new attribute types
2014-01-09 17:13:07 +01:00
// Some additional satistics
$this_month = strtotime('first day of this month');
$stats[0] = $this->User->Event->find('count', null);
$stats[1] = $this->User->Event->find('count', array('conditions' => array('Event.timestamp >' => $this_month)));
$stats[2] = $this->User->Event->Attribute->find('count', null);
$stats[3] = $this->User->Event->Attribute->find('count', array('conditions' => array('Attribute.timestamp >' => $this_month)));
$this->loadModel('Correlation');
$this->Correlation->recursive = -1;
$stats[4] = $this->Correlation->find('count', null);
$stats[4] = $stats[4] / 2;
$stats[5] = $this->User->Event->ShadowAttribute->find('count', null);
$stats[6] = $this->User->find('count', null);
$stats[7] = count($orgs);
$this->loadModel('Thread');
Thread count now correctly displayed in the statistics - Viewing an event without a discussion thread creates an empty thread in preparation of future posts - these empty threads should not count as active threads though.
2014-02-14 10:19:57 +01:00
$stats[8] = $this->Thread->find('count', array('conditions' => array('Thread.post_count >' => 0)));
$stats[9] = $this->Thread->find('count', array('conditions' => array('Thread.date_created >' => date("Y-m-d H:i:s",$this_month), 'Thread.post_count >' => 0)));
Some minor changes - Statistics page has gotten a lot of extra information - Removed some old junk files - Made the size of the graph in the memberslist larger to fit all the new attribute types
2014-01-09 17:13:07 +01:00
$stats[10] = $this->Thread->Post->find('count', null);
$stats[11] = $this->Thread->Post->find('count', array('conditions' => array('Post.date_created >' => date("Y-m-d H:i:s",$this_month))));
$this->set('stats', $stats);
First version of the new statistics page - shows a heatmap of user activity based on the logs - can show it for all users or for users of a specific org
2014-01-09 10:04:53 +01:00
$this->set('orgs', $orgs);
$this->set('start', strtotime(date('Y-m-d H:i:s') . ' -5 months'));
$this->set('end', strtotime(date('Y-m-d H:i:s')));
$this->set('startDateCal', $year . ', ' . $month . ', 01');
Statistics changes - remove actions such as login, logout, changepw - fixed range so that a addinga a massive event doesn't make every other day seem less active
2014-02-12 17:17:15 +01:00
$range = '[5, 10, 50, 100]';
Various changes - contributors shown on the event view (list of the organisation logos of users that have contributed through proposals) - these link to the event history containing only entries from their organisation - changes to the activity heatmap - heatmap now dynamically changes the range on the graph based on the obtained values - performance improved - buttons to move back or forward in time on the calendar - Attributes: - warning for the user if he/she has selected the attribute category "targeting-data" or "attribution" as these could contain classified information - UI improvements across most attribute and shadowattribute input views - Updated cal-heatmap to the newest version
2014-02-05 13:45:18 +01:00
$this->set('range', $range);
First version of the new statistics page - shows a heatmap of user activity based on the logs - can show it for all users or for users of a specific org
2014-01-09 10:04:53 +01:00
}
Changes to the admin methods - cleaned up the methods, they all now return results without debug mode enabled - Added a verification method for all user GPG keys (as an expired key for example would send out empty messages)
2014-01-21 11:28:18 +01:00
public function verifyGPG() {
if (!self::_isSiteAdmin()) throw new NotFoundException();
$user_results = $this->User->verifyGPG();
$this->set('users', $user_results);
}
Merge branch 'feature/gui' of https://github.com/MISP/MISP into feature/gui Conflicts: app/View/Logs/admin_index.ctp app/View/Logs/admin_search.ctp app/View/Users/memberslist.ctp
2013-05-31 17:50:00 +02:00
}