MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Fixes to several ajax related issues 

- malware samples / attachments couldn't be downloaded
- links weren't actually links

- deleting an attribute / shadowattribute now opens a custom confirmation dialogue. This is also where the CSRF tokens are generated for the post request to execute the delete, resulting in a faster event view load
pull/274/head
iglocska 2014-05-09 23:12:51 +02:00
parent ef07046739
commit 19b4a2ae37
9 changed files with 192 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Controller/AttributesController.php
View File

@ -878,6 +878,13 @@ class AttributesController extends AppController {
}
} else {
$this->set('id', $id);
$attribute = $this->Attribute->find('first', array(
'conditions' => array('id' => $id),
'recursive' => -1,
'fields' => array('id', 'event_id'),
));
$this->set('event_id', $attribute['Attribute']['event_id']);
$this->render('ajax/attributeConfirmationForm');
}
} else {
if (!$this->request->is('post') && !$this->_isRest()) {

51
app/Controller/ShadowAttributesController.php
View File

@ -197,30 +197,41 @@ class ShadowAttributesController extends AppController {
*/
// This method will discard a proposed change. Users that can delete the proposals are the publishing users of the org that created the event and of the ones that created the proposal - in addition to site admins of course
public function discard($id = null) {
if (!$this->request->is('post') || !$this->request->is('ajax')) {
if (!$this->request->is('ajax')) {
throw new MethodNotAllowedException();
}
$this->ShadowAttribute->id = $id;
$this->ShadowAttribute->read();
$eventId = $this->ShadowAttribute->data['ShadowAttribute']['event_id'];
$this->loadModel('Event');
$this->Event->Behaviors->detach('SysLogLogable.SysLogLogable');
$this->Event->recursive = -1;
$this->Event->id = $eventId;
$this->Event->read();
// Send those away that shouldn't be able to see this
if (!$this->_isSiteAdmin()) {
if ((($this->Event->data['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org'])) || (!$this->userRole['perm_modify'])) {
$this->Session->setFlash('You don\'t have permission to do that');
$this->redirect(array('controller' => 'events', 'action' => 'view', $eventId));
if ($this->request->is('post')) {
$this->ShadowAttribute->id = $id;
$this->ShadowAttribute->read();
$eventId = $this->ShadowAttribute->data['ShadowAttribute']['event_id'];
$this->loadModel('Event');
$this->Event->Behaviors->detach('SysLogLogable.SysLogLogable');
$this->Event->recursive = -1;
$this->Event->id = $eventId;
$this->Event->read();
// Send those away that shouldn't be able to see this
if (!$this->_isSiteAdmin()) {
if ((($this->Event->data['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org'])) || (!$this->userRole['perm_modify'])) {
$this->Session->setFlash('You don\'t have permission to do that');
$this->redirect(array('controller' => 'events', 'action' => 'view', $eventId));
}
}
if ($this->ShadowAttribute->delete($id, $cascade = false)) {
$this->_setProposalLock($eventId, false);
$this->autoRender = false;
return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Proposal discarded.')),'status'=>200));
} else {
return new CakeResponse(array('body'=> json_encode(array('false' => true, 'errors' => 'Could not discard proposal.')),'status'=>200));
}
}
if ($this->ShadowAttribute->delete($id, $cascade = false)) {
$this->_setProposalLock($eventId, false);
$this->autoRender = false;
return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Proposal discarded.')),'status'=>200));
} else {
return new CakeResponse(array('body'=> json_encode(array('false' => true, 'errors' => 'Could not discard proposal.')),'status'=>200));
$this->set('id', $id);
$shadowAttribute = $this->ShadowAttribute->find('first', array(
'conditions' => array('id' => $id),
'recursive' => -1,
'fields' => array('id', 'event_id'),
));
$this->set('event_id', $shadowAttribute['ShadowAttribute']['event_id']);
$this->render('ajax/shadowAttributeConfirmationForm');
}
}

1
app/View/Attributes/add.ctp
View File

@ -1,4 +1,3 @@
<? echo $this->Html->script('ajaxification');?>
<div class="attributes <? if (!$ajax) echo 'form';?>">
<?php
echo $this->Form->create('Attribute', array('id'));

24
app/View/Attributes/ajax/attributeConfirmationForm.ctp Normal file
View File

@ -0,0 +1,24 @@
<div class="confirmation">
<?php
echo $this->Form->create('Attribute', array('style' => 'margin:0px;', 'id' => 'PromptForm'));
?>
<legend>Attribute Deletion</legend>
<div style="padding-left:5px;padding-right:5px;padding-bottom:5px;">
<p>Are you sure you want to delete Attribute #<?php echo $id?>?</p>
<table>
<tr>
<td style="vertical-align:top">
<span id="PromptYesButton" class="btn btn-primary" onClick="submitDeletion(<?php echo $event_id; ?>, 'delete', 'attributes', <?php echo $id;?>)">Yes</span>
</td>
<td style="width:540px;">
</td>
<td style="vertical-align:top;">
<span class="btn btn-inverse" id="PromptNoButton" onClick="cancelPrompt();">No</span>
</td>
</tr>
</table>
</div>
<?php
echo $this->Form->end();
?>
</div>

43
app/View/Elements/eventattributerow.ctp
View File

@ -54,8 +54,43 @@ if ($object['objectType'] == 1) {
</td>
<td class="showspaces <?php echo $extra; ?>">
<div id = "<?php echo $currentType . '_' . $object['id'] . '_value_placeholder'; ?>" class = "inline-field-placeholder"></div>
<?php if ('attachment' == $object['type'] || 'malware-sample' == $object['type'] ): ?>
<div id = "<?php echo $currentType . '_' . $object['id'] . '_value_solid'; ?>" class="inline-field-solid">
<?php else: ?>
<div id = "<?php echo $currentType . '_' . $object['id'] . '_value_solid'; ?>" class="inline-field-solid" onClick="activateField('<?php echo $currentType; ?>', '<?php echo $object['id']; ?>', 'value', <?php echo $event['Event']['id'];?>);">
<?php echo nl2br(h($object['value'])); ?>
<?php
endif;
$sigDisplay = $object['value'];
if ('attachment' == $object['type'] || 'malware-sample' == $object['type'] ) {
$t = ($currentType == 'Attribute' ? 'attributes' : 'shadow_attributes');
$filenameHash = explode('|', nl2br(h($object['value'])));
if (strrpos($filenameHash[0], '\\')) {
$filepath = substr($filenameHash[0], 0, strrpos($filenameHash[0], '\\'));
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
echo h($filepath);
echo $this->Html->link($filename, array('controller' => $t, 'action' => 'download', $object['id']));
} else {
echo $this->Html->link($filenameHash[0], array('controller' => $t, 'action' => 'download', $object['id']));
}
if (isset($filenameHash[1])) echo ' | ' . $filenameHash[1];
} elseif (strpos($object['type'], '|') !== false) {
$filenameHash = explode('|', $object['value']);
echo h($filenameHash[0]);
if (isset($filenameHash[1])) echo ' | ' . $filenameHash[1];
} elseif ('vulnerability' == $object['type']) {
if (! is_null(Configure::read('MISP.cveurl'))) {
$cveUrl = Configure::read('MISP.cveurl');
} else {
$cveUrl = "http://www.google.com/search?q=";
}
echo $this->Html->link(h($sigDisplay), h($cveUrl) . h($sigDisplay), array('target' => '_blank'));
} elseif ('link' == $object['type']) {
echo $this->Html->link(h($sigDisplay), h($sigDisplay));
} else {
$sigDisplay = str_replace("\r", '', $sigDisplay);
echo nl2br(h($sigDisplay));
}
?>
</div>
</td>
<td class="showspaces bitwider <?php echo $extra; ?>">
@ -92,7 +127,7 @@ if ($object['objectType'] == 1) {
?>
</div>
</td>
<td class="<?php echo $extra; ?>" style="width:150px;">
<td class="<?php echo $extra; ?> shortish">
<div id = "<?php echo $currentType . '_' . $object['id'] . '_distribution_placeholder'; ?>" class = "inline-field-placeholder"></div>
<div id = "<?php echo $currentType . '_' . $object['id'] . '_distribution_solid'; ?>" class="inline-field-solid" onClick="activateField('<?php echo $currentType; ?>', '<?php echo $object['id']; ?>', 'distribution', <?php echo $event['Event']['id'];?>);">
<?php if ($object['objectType'] != 1 && $object['objectType'] != 2) echo h($distributionLevels[$object['distribution']]); ?>&nbsp;
@ -105,7 +140,7 @@ if ($object['objectType'] == 1) {
echo $this->Form->create('Attribute', array('class' => 'inline-delete', 'id' => $currentType . '_' . $object['id'] . '_delete', 'action' => 'delete'));
?>
<a href="/attributes/edit/<?php echo $object['id']; ?>" title="Edit" class="icon-edit useCursorPointer"></a>
<span class="icon-trash useCursorPointer" onClick="deleteObject('attributes', '<?php echo $object['id']; ?>', '<?php echo $event['Event']['id']; ?>');"></span>
<span class="icon-trash useCursorPointer" onClick="deleteObject('attributes', 'delete', '<?php echo $object['id']; ?>', '<?php echo $event['Event']['id']; ?>');"></span>
<?php
echo $this->Form->end();
} else {
@ -123,7 +158,7 @@ if ($object['objectType'] == 1) {
if (($event['Event']['orgc'] == $me['org'] && $mayModify) || $isSiteAdmin || ($object['org'] == $me['org'])) {
echo $this->Form->create('ShadowAttribute', array('class' => 'inline-delete', 'style' => 'display:inline-block;', 'id' => 'ShadowAttribute_' . $object['id'] . '_delete', 'action' => 'delete'));
?>
<span class="icon-trash useCursorPointer" onClick="deleteObject('shadow_attributes', '<?php echo $object['id']; ?>', '<?php echo $event['Event']['id']; ?>');"></span>
<span class="icon-trash useCursorPointer" onClick="deleteObject('shadow_attributes', 'discard' ,'<?php echo $object['id']; ?>', '<?php echo $event['Event']['id']; ?>');"></span>
<?php
echo $this->Form->end();
}

1
app/View/Events/view.ctp
View File

@ -159,6 +159,7 @@ $mayPublish = ($isAclPublish && $event['Event']['orgc'] == $me['org']);
<?php if (sizeOf($allPivots) > 1) echo $this->element('pivot'); ?>
</div>
<div id="attribute_add_form" class="attribute_add_form"></div>
<div id="confirmation_box" class="confirmation_box"></div>
<div id="attribute_creation_div" style="display:none;">
<?php
echo $this->element('eventattributecreation');

24
app/View/ShadowAttributes/ajax/shadowAttributeConfirmationForm.ctp Normal file
View File

@ -0,0 +1,24 @@
<div class="confirmation">
<?php
echo $this->Form->create('ShadowAttribute', array('style' => 'margin:0px;', 'id' => 'PromptForm'));
?>
<legend>Proposal Deletion</legend>
<div style="padding-left:5px;padding-right:5px;padding-bottom:5px;">
<p>Are you sure you want to delete Proposal #<?php echo $id?>?</p>
<table>
<tr>
<td style="vertical-align:top">
<span id="PromptYesButton" class="btn btn-primary" onClick="submitDeletion(<?php echo $event_id; ?>, 'discard', 'shadow_attributes', <?php echo $id;?>)">Yes</span>
</td>
<td style="width:540px;">
</td>
<td style="vertical-align:top;">
<span class="btn btn-inverse" id="PromptNoButton" onClick="cancelPrompt();">No</span>
</td>
</tr>
</table>
</div>
<?php
echo $this->Form->end();
?>
</div>

21
app/webroot/css/main.css
View File

@ -708,6 +708,27 @@ a.proposal_link_red:hover {
z-index:5;
}
.confirmation_box {
display:none;
width: 300px;
top:calc(50% - 50px);
left:calc(50% - 150px);
position: fixed;
background-color:#f4f4f4;
border-radius: 5px;
box-shadow: 4px 4px 4px #333;
z-index:5;
}
.confirmation_box legend {
border-radius: 5px 5px 0px 0px;
margin-bottom:5px;
padding-left:5px;
width:295px;
background-color:black;
color:white;
}
.attribute_add_form {
display:none;
width: 700px;

46
app/webroot/js/ajaxification.js
View File

@ -1,4 +1,4 @@
function deleteObject(type, id, event) {
function deleteObject2(type, id, event) {
var typeMessage, name, action;
if (type == 'attributes') {
action = 'delete';
@ -25,6 +25,50 @@ function deleteObject(type, id, event) {
}
}
function deleteObject(type, action, id, event) {
var destination = 'attributes';
if (type == 'shadow_attributes') destination = 'shadow_attributes';
$.get( "/" + destination + "/" + action + "/" + id, function(data) {
$("#confirmation_box").fadeIn();
$("#gray_out").fadeIn();
$("#confirmation_box").html(data);
$(window).bind('keypress', function(e) {
var code = e.keyCode || e.which;
if (code == 13) {
submitDeletion(event, action, type, id);
}
});
});
}
function cancelPrompt() {
$("#confirmation_box").fadeIn();
$("#gray_out").fadeOut();
$("#confirmation_box").empty();
}
function submitDeletion(event, action, type, id) {
var formData = $('#PromptForm').serialize();
$.ajax({
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
data: formData,
success:function (data, textStatus) {
updateAttributeIndexOnSuccess(event);
handleGenericAjaxResponse(data);
},
complete:function() {
$(".loading").hide();
$("#confirmation_box").fadeOut();
$("#gray_out").fadeOut();
},
type:"post",
cache: false,
url:"/" + type + "/" + action + "/" + id,
});
}
function acceptObject(type, id, event) {
name = '#ShadowAttribute_' + id + '_accept';
var formData = $(name).serialize();