From 029ef252a2a76ee878113cf71f11d1cae5a9f147 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Tue, 8 Jul 2014 11:31:23 +0200
Subject: [PATCH] Some fixes to the templating

- resolved bugs with permissions
- fixed the broken mass delete tool
- Fixed an issue with the type not being chosen correctly for file type attributes when created through the templating tool
---
 app/Controller/AttributesController.php | 16 ++++++++++------
 app/Controller/TemplatesController.php  |  7 +++----
 app/Lib/Tools/ComplexTypeTool.php       |  4 ++--
 app/Model/Attribute.php                 |  4 ++--
 app/View/Elements/eventattribute.ctp    |  2 ++
 5 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php
index 300fa9d31..a28e105d2 100755
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@@ -913,22 +913,26 @@ class AttributesController extends AppController {
 		if (!$this->Attribute->exists()) {
 			return false;
 		}
-		
+		$result = $this->Attribute->find('first', array(
+			'conditions' => array('Attribute.id' => $id),
+			'fields' => array('Attribute.id, Attribute.event_id', 'Attribute.uuid'),
+			'contain' => array('Event' => array(
+				'fields' => array('Event.id', 'Event.orgc', 'Event.org', 'Event.locked')
+			)),
+		));
 		if ('true' == Configure::read('MISP.sync')) {
 			// find the uuid
-			$result = $this->Attribute->findById($id);
 			$uuid = $result['Attribute']['uuid'];
 		}
 		
 		// check for permissions
 		if (!$this->_isSiteAdmin()) {
-			$this->Attribute->read();
-			if ($this->Attribute->data['Event']['locked']) {
-				if ($this->_checkOrg() != $this->Attribute->data['Event']['org'] || !$this->userRole['perm_sync']) {
+			if ($result['Event']['locked']) {
+				if ($this->_checkOrg() != $result['Event']['org'] || !$this->userRole['perm_sync']) {
 					throw new MethodNotAllowedException();
 				}
 			} else {
-				if ($this->_checkOrg() != $this->Attribute->data['Event']['orgc']) {
+				if ($this->_checkOrg() != $result['Event']['orgc']) {
 					throw new MethodNotAllowedException();
 				}
 			}
diff --git a/app/Controller/TemplatesController.php b/app/Controller/TemplatesController.php
index 61c967fc8..482d48575 100644
--- a/app/Controller/TemplatesController.php
+++ b/app/Controller/TemplatesController.php
@@ -230,7 +230,7 @@ class TemplatesController extends AppController {
 				'recursive' => -1,
 				'fields' => array('orgc', 'id'),
 		));
-		if (empty($event) || (!$this->_isSiteAdmin() && $event['Event']['orgc'] != $this->Auth->user('org'))) throw new MethodNotFoundException('Event not found or you are not authorised to edit it.');
+		if (empty($event) || (!$this->_isSiteAdmin() && $event['Event']['orgc'] != $this->Auth->user('org'))) throw new NotFoundException('Event not found or you are not authorised to edit it.');
 	
 		$conditions = array();
 		if (!$this->_isSiteAdmin) {
@@ -268,10 +268,9 @@ class TemplatesController extends AppController {
 		
 		if (empty($event)) throw new MethodNotAllowedException('Event not found or you are not authorised to edit it.');
 		if (empty($template)) throw new MethodNotAllowedException('Template not found or you are not authorised to edit it.');
-		
 		if (!$this->_isSiteAdmin()) {
 			if ($event['Event']['orgc'] != $this->Auth->user('org')) throw new MethodNotAllowedException('Event not found or you are not authorised to edit it.');
-			if ($template['Template']['org'] != $this->Auth->user('org')) throw new MethodNotAllowedException('Template not found or you are not authorised to use it.');	
+			if ($template['Template']['org'] != $this->Auth->user('org') && !$template['Template']['share']) throw new MethodNotAllowedException('Template not found or you are not authorised to use it.');	
 		}
 		
 		$this->set('template_id', $template_id);
@@ -306,7 +305,7 @@ class TemplatesController extends AppController {
 			$event = $this->Event->find('first', array(
 					'conditions' => array('id' => $event_id),
 					'recursive' => -1,
-					'fields' => array('id', 'orgc', 'distribution'),
+					'fields' => array('id', 'orgc', 'distribution', 'published'),
 					'contain' => 'EventTag',
 			));
 			if (empty($event)) throw new MethodNotAllowedException('Event not found or you are not authorised to edit it.');
diff --git a/app/Lib/Tools/ComplexTypeTool.php b/app/Lib/Tools/ComplexTypeTool.php
index 83f6554e9..7ecfc2516 100644
--- a/app/Lib/Tools/ComplexTypeTool.php
+++ b/app/Lib/Tools/ComplexTypeTool.php
@@ -1,7 +1,6 @@
 <?php
 
 class ComplexTypeTool {
-	
 	public function checkComplexRouter($input, $type) {
 		switch ($type) {
 			case 'File':
@@ -18,6 +17,7 @@ class ComplexTypeTool {
 	
 	// checks if the passed input matches a valid file description attribute's pattern (filename, md5, sha1, sha256, filename|md5, filename|sha1, filename|sha256)		
 	public function checkComplexFile($input) {
+		$original = $input;
 		$type = '';
 		$composite = false;
 		if (strpos($input, '|')) {
@@ -33,7 +33,7 @@ class ComplexTypeTool {
 		if (strlen($input) == 64 && preg_match("#[0-9a-f]{64}$#", $input)) $type .= 'sha256';
 		if ($type == '' && !$composite && preg_match("#^.+#", $input)) $type = 'filename';
 		if ($type == '') $type = 'other';
-		return array('type' => $type, 'value' => $input);
+		return array('type' => $type, 'value' => $original);
 	}
 	
 	public function checkComplexCnC($input) {
diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php
index 43f30e611..1435cfdac 100755
--- a/app/Model/Attribute.php
+++ b/app/Model/Attribute.php
@@ -513,7 +513,6 @@ class Attribute extends AppModel {
 	public function validateAttributeValue($fields) {
 		$value = $fields['value'];
 		$returnValue = false;
-
 		// check data validation
 		switch($this->data['Attribute']['type']) {
 			case 'md5':
@@ -1381,7 +1380,7 @@ class Attribute extends AppModel {
 			 		}
 		 		}
 		 		$result = $this->__resolveElementFile($element['TemplateElementFile'][0], $temp);
-		 		if ($element['TemplateElementFile'][0]['mandatory'] && empty($temp) && empty($errors[$element['id']])) $errors[$element['id']] = 'Error: This field is mandatory.';
+		 		if ($element['TemplateElementFile'][0]['mandatory'] && empty($temp) && empty($errors[$element['id']])) $errors[$element['id']] = 'This field is mandatory.';
 		 	}
 		 	if ($element['element_definition'] == 'file' || $element['element_definition'] == 'attribute') {
 		 		if ($result['errors']) {
@@ -1459,6 +1458,7 @@ class Attribute extends AppModel {
  				if (!$tmp_file->exists()) {
  					$errors = 'File cannot be read.';
  				} else {
+ 					$element['type'] = 'malware-sample';
  					$attributes[] = $this->__createAttribute($element, $malwareName);
 	 				$content = $tmp_file->read();
 	 				$attributes[count($attributes) - 1]['data'] = $file['tmp_name'];
diff --git a/app/View/Elements/eventattribute.ctp b/app/View/Elements/eventattribute.ctp
index 7fbda83d6..b222ec6d4 100644
--- a/app/View/Elements/eventattribute.ctp
+++ b/app/View/Elements/eventattribute.ctp
@@ -62,9 +62,11 @@
 		<span id="multi-edit-button" title="Edit selected" class="icon-edit mass-select useCursorPointer" onClick="editSelectedAttributes(<?php echo $event['Event']['id']; ?>);"></span>
 		<span id="multi-delete-button" title="Delete selected" class = "icon-trash mass-select useCursorPointer" onClick="deleteSelectedAttributes(<?php echo $event['Event']['id']; ?>);"></span>
 	</div>
+	<?php if ($mayModify): ?>
 	<div class="tabMenu tabMenuToolsBlock noPrint">
 		<span id="create-button" title="Populate using a template" class="icon-list-alt useCursorPointer" onClick="getTemplateChoicePopup(<?php echo $event['Event']['id']; ?>);"></span>
 	</div>
+	<?php endif; ?>
 	<table class="table table-striped table-condensed">
 		<tr>
 			<?php if ($mayModify && !empty($eventArray)): ?>