MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Changes to the event view 

- reworked the way events are loaded and reloaded to check for
privileges
pull/217/head
iglocska 2013-06-03 17:23:34 +02:00
parent f545511a76
commit 0b834464ac
4 changed files with 51 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
app/Controller/EventsController.php
View File

@ -126,43 +126,52 @@ class EventsController extends AppController {
if ($temp == null) throw new NotFoundException(__('Invalid event'));
$id = $temp['Event']['id'];
}
$isSiteAdmin = $this->_isSiteAdmin();
$this->Event->recursive = 2;
$this->Event->contain('Attribute', 'ShadowAttribute', 'User.email');
$this->Event->id = $id;
$this->Event->read(null, $id);
if (!$this->Event->exists()) {
throw new NotFoundException(__('Invalid event, it already exists.'));
}
$this->Event->read(null, $id);
// rearrange the shadow attributes
foreach ($this->Event->data['Attribute'] as $key => &$attribute) {
if (!isset($attribute['ShadowAttribute'])) $attribute['ShadowAttribute'] = array();
foreach ($this->Event->data['ShadowAttribute'] as $k => &$sa) {
if ($sa['old_id'] == $attribute['id']) {
$this->Event->data['Attribute'][$key]['ShadowAttribute'][] = $sa;
unset($this->Event->data['ShadowAttribute'][$k]);
}
}
}
$userEmail = $this->Event->data['User']['email'];
unset ($this->Event->data['User']);
$this->Event->data['User']['email'] = $userEmail;
if (!$this->_IsSiteAdmin()) {
// check for non-private and re-read
if ($this->Event->data['Event']['org'] != $this->Auth->user('org')) {
$this->Event->hasMany['Attribute']['conditions'] = array('OR' => array(array('Attribute.private !=' => 1), array('Attribute.private =' => 1, 'Attribute.cluster =' => 1))); // TODO seems very dangerous for the correlation construction in afterSave!!!
$this->Event->read(null, $id);
}
$myEvent = true;
if (!$isSiteAdmin) {
// check private
if (($this->Event->data['Event']['private'] && !$this->Event->data['Event']['cluster']) && ($this->Event->data['Event']['org'] != $this->Auth->user('org'))) {
$this->Session->setFlash(__('Invalid event.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
}
if ($this->Event->data['Event']['org'] != $this->Auth->user('org')) {
$myEvent = false;
}
// Now that we're loaded the event and made sure that we can actually see it, let's do 2 thngs:
// run through each attribute and unset it if it's private and we're not an admin or from the owner org of the event
// if we didn't unset the attribute, rearrange the shadow attributes
foreach ($this->Event->data['Attribute'] as $key => &$attribute) {
if (!$isSiteAdmin && !$myEvent && $attribute['private'] == 1) {
unset($this->Event->data['Attribute'][$key]);
} else {
if (!isset($attribute['ShadowAttribute'])) $attribute['ShadowAttribute'] = array();
foreach ($this->Event->data['ShadowAttribute'] as $k => &$sa) {
if ($sa['old_id'] == $attribute['id']) {
$this->Event->data['Attribute'][$key]['ShadowAttribute'][] = $sa;
unset($this->Event->data['ShadowAttribute'][$k]);
}
}
}
}
// since we unset some attributes and shadowattributes, let's reindex them.
$this->Event->data['ShadowAttribute'] = array_values($this->Event->data['ShadowAttribute']);
$this->Event->data['Attribute'] = array_values($this->Event->data['Attribute']);
$userEmail = $this->Event->data['User']['email'];
unset ($this->Event->data['User']);
$this->Event->data['User']['email'] = $userEmail;
$this->set('analysisLevels', $this->Event->analysisLevels);
$this->loadModel('Attribute');
$relatedEvents = $this->Event->getRelatedEvents($this->Auth->user());
$relatedAttributes = $this->Event->getRelatedAttributes($this->Auth->user());
@ -196,14 +205,9 @@ class EventsController extends AppController {
} else {
$conditions = array('AND' => array('ShadowAttribute.event_id' => $this->Event->data['Event']['id'], 'ShadowAttribute.old_id' => '0', 'ShadowAttribute.org' => $this->Auth->user('org')));
}
$this->loadModel('ShadowAttribute');
// Only load the shadow attributes, nothing related
$this->ShadowAttribute->recursive = -1;
$remaining = $this->ShadowAttribute->find('all', array(
'conditions' => $conditions
));
$remaining = $this->Event->data['ShadowAttribute'];
}
$this->loadModel('Attribute');
// params for the jQuery RESTfull interface
$this->set('authkey', $this->Auth->user('authkey'));
$this->set('baseurl', Configure::read('CyDefSIG.baseurl'));
@ -213,7 +217,6 @@ class EventsController extends AppController {
// passing decriptions for model fields
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
$this->set('event', $this->Event->data);
if(isset($remaining)) {
$this->set('remaining', $remaining);

16
app/Model/Attribute.php
View File

@ -73,22 +73,6 @@ class Attribute extends AppModel {
'All communities' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This will share the event with all MISP communities, allowing the event to be freely propagated from one server to the next."),
);
public $hasMany = array(
'ShadowAttribute' => array(
'className' => 'ShadowAttribute',
'foreignKey' => 'old_id',
'dependent' => true, // cascade deletes
'conditions' => '',
'fields' => '',
'order' => array('ShadowAttribute.old_id DESC', 'ShadowAttribute.old_id DESC'),
'limit' => '',
'offset' => '',
'exclusive' => '',
'finderQuery' => '',
'counterQuery' => ''
)
);
// these are definition of possible types + their descriptions and maybe later other behaviors
// e.g. if the attribute should be correlated with others or not

8
app/Model/ShadowAttribute.php
View File

@ -273,14 +273,6 @@ class ShadowAttribute extends AppModel {
* @var array
*/
public $belongsTo = array(
'Attribute' => array(
'className' => 'Attribute',
'foreignKey' => 'id',
'conditions' => '',
'fields' => '',
'order' => '',
'counterCache' => true
),
'Event' => array(
'className' => 'Event',
'foreignKey' => 'id',

32
app/View/Events/view.ctp
View File

@ -305,41 +305,41 @@ if (!empty($event['Attribute'])):?>
//if ($remain === end($remaining)) $extra .= ' highlightBottom';
?>
<tr class="highlight2">
<td class="highlight2" title="<?php if('' != $remain['ShadowAttribute']['category']) echo $categoryDefinitions[$remain['ShadowAttribute']['category']]['desc'];?>">
<td class="highlight2" title="<?php if('' != $remain['category']) echo $categoryDefinitions[$remain['category']]['desc'];?>">
<?php
echo h($remain['ShadowAttribute']['category']);
echo h($remain['category']);
?>
</td>
<td class="short highlight2" title="
<?php
echo $typeDefinitions[$remain['ShadowAttribute']['type']]['desc'];
echo $typeDefinitions[$remain['type']]['desc'];
?>
">
<?php
echo h($remain['ShadowAttribute']['type']);
echo h($remain['type']);
?>
</td>
<td class = "short highlight2">
<?php
$sigDisplay = nl2br(h($remain['ShadowAttribute']['value']));
if ('attachment' == $remain['ShadowAttribute']['type'] || 'malware-sample' == $remain['ShadowAttribute']['type'] ) {
$filenameHash = explode('|', $remain['ShadowAttribute']['value']);
$sigDisplay = nl2br(h($remain['value']));
if ('attachment' == $remain['type'] || 'malware-sample' == $remain['type'] ) {
$filenameHash = explode('|', $remain['value']);
if (strrpos($filenameHash[0], '\\')) {
$filepath = substr($filenameHash[0], 0, strrpos($filenameHash[0], '\\'));
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
echo $filepath;
echo $this->Html->link($filename, array('controller' => 'shadow_attributes', 'action' => 'download', $remain['ShadowAttribute']['id']));
echo $this->Html->link($filename, array('controller' => 'shadow_attributes', 'action' => 'download', $remain['id']));
} else {
echo $this->Html->link($filenameHash[0], array('controller' => 'shadow_attributes', 'action' => 'download', $remain['ShadowAttribute']['id']));
echo $this->Html->link($filenameHash[0], array('controller' => 'shadow_attributes', 'action' => 'download', $remain['id']));
}
if (isset($filenameHash[1])) echo ' | ' . $filenameHash[1];
} elseif (strpos($remain['ShadowAttribute']['type'], '|') !== false) {
$filenameHash = explode('|', $remain['ShadowAttribute']['value']);
} elseif (strpos($remain['type'], '|') !== false) {
$filenameHash = explode('|', $remain['value']);
echo h($filenameHash[0]);
if (isset($filenameHash[1])) echo ' | ' . $filenameHash[1];
} elseif ('vulnerability' == $remain['ShadowAttribute']['type']) {
} elseif ('vulnerability' == $remain['type']) {
echo $this->Html->link(h($sigDisplay), 'http://www.google.com/search?q=' . h($sigDisplay), array('target' => '_blank'));
} elseif ('link' == $remain['ShadowAttribute']['type']) {
} elseif ('link' == $remain['type']) {
echo $this->Html->link(h($sigDisplay), h($sigDisplay));
} else {
echo h($sigDisplay);
@ -350,15 +350,15 @@ if (!empty($event['Attribute'])):?>
</td>
<td class="short highlight2">
<?php
echo $remain['ShadowAttribute']['to_ids'] ? 'Yes' : 'No';
echo $remain['to_ids'] ? 'Yes' : 'No';
?></td>
<td class="short highlight2"></td>
<td class="short action-links highlight2">
<?php
if (($event['Event']['org'] == $me['org'] && $mayPublish) || $isSiteAdmin) {
echo $this->Html->link('', array('controller' => 'shadow_attributes', 'action' => 'accept', $remain['ShadowAttribute']['id']), array('class' => 'icon-ok', 'title' => 'Accept'));
echo $this->Html->link('', array('controller' => 'shadow_attributes', 'action' => 'accept', $remain['id']), array('class' => 'icon-ok', 'title' => 'Accept'));
}
echo $this->Html->link('', array('controller' => 'shadow_attributes', 'action' => 'discard',$remain['ShadowAttribute']['id']), array('class' => 'icon-trash', 'title' => 'Discard'));
echo $this->Html->link('', array('controller' => 'shadow_attributes', 'action' => 'discard',$remain['id']), array('class' => 'icon-trash', 'title' => 'Discard'));
?>
</td>
</tr>