MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Further work on the sharing groups 

- correlations should work fine now
- users can only see events they should be allowed to see on the event index / event view / event history view
pull/762/head
iglocska 2015-04-10 15:23:53 +02:00
parent 5abd8dfead
commit 0e7b2448d2
6 changed files with 134 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
app/Controller/EventsController.php
View File

@ -30,7 +30,8 @@ class EventsController extends AppController {
),
'contain' => array(
'Org' => array('fields' => array('id', 'name')),
'Orgc' => array('fields' => array('id', 'name'))
'Orgc' => array('fields' => array('id', 'name')),
'SharingGroup' => array('fields' => array('id', 'name'))
)
);
@ -71,11 +72,25 @@ class EventsController extends AppController {
// if not admin or own org, check private as well..
if (!$this->_isSiteAdmin()) {
$sgids = $this->Event->SharingGroup->fetchAllAuthorised($this->Auth->user());
$this->paginate = Set::merge($this->paginate,array(
'conditions' =>
array("OR" => array(
array('Event.org =' => $this->Auth->user('org')),
array('Event.distribution >' => 0),
array(
'Event.org_id' => $this->Auth->user('organisation_id')
),
array(
'AND' => array(
'Event.distribution >' => 0,
'Event.distribution <' => 4,
),
),
array(
'AND' => array(
'Event.distribution' => 4,
'Event.sharing_group_id' => $sgids
),
)
))));
}
}
@ -469,7 +484,8 @@ class EventsController extends AppController {
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
$this->set('analysisLevels', $this->Event->analysisLevels);
$this->set('distributionLevels', $this->Event->distributionLevels);
$shortDist = array(0 => 'Organisation', 1 => 'Community', 2 => 'Connected', 3 => 'All');
$shortDist = array(0 => 'Organisation', 1 => 'Community', 2 => 'Connected', 3 => 'All', 4 => ' sharing Group');
$this->set('shortDist', $shortDist);
}
@ -584,7 +600,7 @@ class EventsController extends AppController {
if (strlen($id) == 36) {
$this->Event->recursive = -1;
$temp = $this->Event->findByUuid($id);
if ($temp == null) throw new NotFoundException(__('Invalid event'));
if ($temp == null) throw new NotFoundException('Invalid event');
$id = $temp['Event']['id'];
}
$isSiteAdmin = $this->_isSiteAdmin();
@ -594,6 +610,7 @@ class EventsController extends AppController {
throw new NotFoundException(__('Invalid event.'));
}
$results = $this->__fetchEvent($id);
if (empty($results)) throw new NotFoundException('Invalid event');
if ($this->_isRest()) {
$this->loadModel('Attribute');
foreach ($results[0]['Attribute'] as &$attribute) {
@ -3178,4 +3195,4 @@ class EventsController extends AppController {
$this->set('id', $id);
$this->render('ajax/exportChoice');
}
}
}

13
app/Controller/LogsController.php
View File

@ -68,13 +68,12 @@ class LogsController extends AppController {
$this->Event->read(null, $id);
// send unauthorised people away. Only site admins and users of the same org may see events that are "your org only". Everyone else can proceed for all other levels of distribution
if (!$this->_isSiteAdmin()) {
if ($this->Event->data['Event']['distribution'] == 0) {
if ($this->Event->data['Event']['org'] != $this->Auth->user('org')) {
$this->Session->setFlash(__('You don\'t have access to view this event.'));
$this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
} else {
$mineOrAdmin = true;
}
if (!$this->Event->checkIfAuthorised($this->Auth->user(), $id)) {
$this->Session->setFlash(__('You don\'t have access to view this event.'));
$this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
}
if ($this->Event->data['Event']['org_id'] == $this->Auth->user('organisation_id')) {
$mineOrAdmin = true;
}
} else {
$mineOrAdmin = true;

2
app/Controller/SharingGroupsController.php
View File

@ -145,7 +145,7 @@ class SharingGroupsController extends AppController {
}
public function view($id) {
$sharingGroupIDs = $this->SharingGroup->fetchSharingGroups($this->Auth->user(), $this->_isSiteAdmin(), true);
$sharingGroupIDs = $this->SharingGroup->fetchAllAuthorised($this->Auth->user());
if (!in_array($id, $sharingGroupIDs)) throw new MethodNotAllowedException('Sharing group doesn\'t exist or you do not have permission to access it.');
$this->SharingGroup->id = $id;
$this->SharingGroup->contain(array('SharingGroupOrg' => array('Organisation'), 'Organisation'));

137
app/Model/Event.php
View File

@ -409,6 +409,7 @@ class Event extends AppModel {
public function getRelatedEvents($user, $eventId = null, $sgids) {
if ($eventId == null) $eventId = $this->data['Event']['id'];
if (!isset($sgids) || empty($sgids)) $sgids = array(-1);
$this->Correlation = ClassRegistry::init('Correlation');
// search the correlation table for the event ids of the related events
// Rules:
@ -427,27 +428,39 @@ class Event extends AppModel {
'Correlation.1_event_id' => $eventId,
array(
'OR' => array(
'Correlation.org_id' => $user['Org']['id'],
'Correlation.org' => $user['organisation_id'],
'AND' => array(
'OR' => array(
'AND' => array(
'Correlation.distribution >' => 0,
'Correlation.distribution <' => 4,
),
'AND' => array(
'Correlation.distribution' => 4,
'Correlation.sharing_group_id' => $sgids
array(
'OR' => array(
array(
'AND' => array(
'Correlation.distribution >' => 0,
'Correlation.distribution <' => 4,
),
),
array(
'AND' => array(
'Correlation.distribution' => 4,
'Correlation.sharing_group_id' => $sgids
),
),
),
),
'OR' => array(
'Correlation.a_distribution' => 5,
'AND' => array(
'Correlation.a_distribution >' => 0,
'Correlation.a_distribution <' => 4,
),
'AND' => array(
'Correlation.a_distribution' => 4,
'Correlation.a_sharing_group_id' => $sgids
array(
'OR' => array(
'Correlation.a_distribution' => 5,
array(
'AND' => array(
'Correlation.a_distribution >' => 0,
'Correlation.a_distribution <' => 4,
),
),
array(
'AND' => array(
'Correlation.a_distribution' => 4,
'Correlation.a_sharing_group_id' => $sgids
),
),
),
),
),
@ -483,35 +496,48 @@ class Event extends AppModel {
public function getRelatedAttributes($user, $id = null, $sgids) {
if ($id == null) $id = $this->data['Event']['id'];
if (!isset($sgids) || empty($sgids)) $sgids = array(-1);
$this->Correlation = ClassRegistry::init('Correlation');
// search the correlation table for the event ids of the related attributes
if (!$user['Role']['perm_site_admin']) {
$conditionsCorrelation = array(
'AND' => array(
'Correlation.1_event_id' => $eventId,
'Correlation.1_event_id' => $id,
array(
'OR' => array(
'Correlation.org_id' => $user['Org']['id'],
'Correlation.org' => $user['organisation_id'],
'AND' => array(
'OR' => array(
'AND' => array(
'Correlation.distribution >' => 0,
'Correlation.distribution <' => 4,
),
'AND' => array(
'Correlation.distribution' => 4,
'Correlation.sharing_group_id' => $sgids
array(
'OR' => array(
array(
'AND' => array(
'Correlation.distribution >' => 0,
'Correlation.distribution <' => 4,
),
),
array(
'AND' => array(
'Correlation.distribution' => 4,
'Correlation.sharing_group_id' => $sgids
),
),
),
),
'OR' => array(
'Correlation.a_distribution' => 5,
'AND' => array(
'Correlation.a_distribution >' => 0,
'Correlation.a_distribution <' => 4,
),
'AND' => array(
'Correlation.a_distribution' => 4,
'Correlation.a_sharing_group_id' => $sgids
array(
'OR' => array(
'Correlation.a_distribution' => 5,
array(
'AND' => array(
'Correlation.a_distribution >' => 0,
'Correlation.a_distribution <' => 4,
),
),
array(
'AND' => array(
'Correlation.a_distribution' => 4,
'Correlation.a_sharing_group_id' => $sgids
),
),
),
),
),
@ -933,18 +959,25 @@ class Event extends AppModel {
if (!$user['Role']['perm_site_admin']) {
$sgids = $this->SharingGroup->fetchAllAuthorised($user);
$conditions['AND']['OR'] = array(
'OR' => array(
'Event.distribution >' => 0,
'Event.org LIKE' => $org
'Event.org_id' => $user['organisation_id'],
array(
'AND' => array(
'Event.distribution >' => 0,
'Event.distribution <' => 4
),
),
'Event.sharing_group_id' => $sgids
array(
'AND' => array(
'Event.sharing_group_id' => $sgids,
'Event.distribution' => 4,
)
)
);
$conditionsAttributes['OR'] = array(
'Attribute.distribution >' => 0,
'(SELECT events.org FROM events WHERE events.id = Attribute.event_id) LIKE' => $org
'(SELECT events.org_id FROM events WHERE events.id = Attribute.event_id)' => $user['organisation_id']
);
}
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
@ -981,7 +1014,6 @@ class Event extends AppModel {
$fieldsShadowAtt = array('ShadowAttribute.id', 'ShadowAttribute.type', 'ShadowAttribute.category', 'ShadowAttribute.value', 'ShadowAttribute.to_ids', 'ShadowAttribute.uuid', 'ShadowAttribute.event_id', 'ShadowAttribute.old_id', 'ShadowAttribute.comment', 'ShadowAttribute.org');
$fieldsOrg = array('id', 'name');
$params = array('conditions' => $conditions,
'recursive' => 0,
'fields' => $fields,
@ -1561,7 +1593,6 @@ class Event extends AppModel {
}
return true;
} else {
debug($this->validationErrors);
//throw new MethodNotAllowedException("Validation ERROR: \n".var_export($this->Event->validationErrors, true));
return false;
}
@ -2015,4 +2046,20 @@ class Event extends AppModel {
}
return true;
}
// convenience method to check whther a user can see an event
public function checkIfAuthorised($user, $id) {
if (!isset($user['id'])) throw new MethodNotAllowedException('Invalid user.');
$this->id = $id;
if (!$this->exists()) return false;
if ($user['Role']['perm_site_admin']) return true;
$event = $this->find('first', array(
'conditions' => array('id' => $id),
'recursive' => -1,
'fields' => array('id', 'sharing_group_id', 'distribution', 'org_id')
));
if ($event['Event']['org_id'] == $user['organisation_id'] || ($event['Event']['distribution'] > 0 && $event['Event']['distribution'] < 4)) return true;
if ($event['Event']['distribution'] == 5 && $this->SharingGroup->checkIfAuthorised($user, $event['Event']['sharing_group_id'])) return true;
return false;
}
}

8
app/Model/SharingGroup.php
View File

@ -57,7 +57,10 @@ class SharingGroup extends AppModel {
}
// returns a list of all sharing groups that the user is allowed to see
// pass true to get the actual SG objects
// scope can be:
// full: Entire SG object with all organisations and servers attached
// name: array in ID => name key => value format
// false: array with all IDs
public function fetchAllAuthorised($user, $scope = false) {
if ($user['Role']['perm_site_admin']) {
$sgs = $this->find('all', array(
@ -80,7 +83,8 @@ class SharingGroup extends AppModel {
$sgs = $this->find('list', array(
'recursive' => -1,
'fields' => array('id', 'name'),
'order' => 'name ASC'
'order' => 'name ASC',
'conditions' => array('SharingGroup.id' => $ids),
));
return $sgs;
} else {

7
app/View/Events/index.ctp
View File

@ -157,7 +157,12 @@
<?php echo nl2br(h($event['Event']['info'])); ?>&nbsp;
</td>
<td class="short <?php if ($event['Event']['distribution'] == 0) echo 'privateRedText';?>" ondblclick="location.href ='/events/view/<?php echo $event['Event']['id'];?>'" title = "<?php echo $event['Event']['distribution'] != 3 ? $distributionLevels[$event['Event']['distribution']] : 'All';?>">
<?php echo $shortDist[$event['Event']['distribution']]; ?>
<?php if ($event['Event']['distribution'] == 4):?>
<a href="/sharingGroups/view/<?php echo h($event['SharingGroup']['id']); ?>"><?php echo h($event['SharingGroup']['name']);?></a>
<?php else:
echo h($shortDist[$event['Event']['distribution']]);
endif;
?>
</td>
<td class="short action-links">
<?php