new: [event:view] Added new option `show_server_correlations_for_all_users` allowing non-privileged users to view server correlations

2023-12-05 13:38:35 +01:00 · 2023-12-05 13:38:35 +01:00 · 24cfb3c987
parent 34105dba0f
commit 24cfb3c987
5 changed files with 45 additions and 27 deletions
--- a/app/Model/Event.php
+++ b/app/Model/Event.php
@ -2077,7 +2077,10 @@ class Event extends AppModel
        if ((!empty($options['includeDecayScore']) || !empty($options['includeScoresOnEvent'])) && !isset($this->DecayingModel)) {
            $this->DecayingModel = ClassRegistry::init('DecayingModel');
        }
-        if ($options['includeServerCorrelations'] && !$isSiteAdmin && $user['org_id'] != Configure::read('MISP.host_org_id')) {
+        if (
+            $options['includeServerCorrelations'] &&
+            (!$isSiteAdmin && $user['org_id'] != Configure::read('MISP.host_org_id') && !Configure::read('MISP.show_correlation_for_all_users', false))
+        ) {
            $options['includeServerCorrelations'] = false; // not permission to see server correlations
        }
        if (($options['includeFeedCorrelations'] || $options['includeServerCorrelations']) && !isset($this->Feed)) {
--- a/app/Model/Feed.php
+++ b/app/Model/Feed.php
@ -556,6 +556,13 @@ class Feed extends AppModel
        }

        $sources = $this->getCachedFeedsOrServers($user, $scope);
+        if (!$user['Role']['perm_site_admin'] && $user['org_id'] != Configure::read('MISP.host_org_id')) {
+            // Filter fields that shouldn't be visible to everyone
+            $allowedFieldsForAllUsers = array_flip(['id', 'name',]);
+            $sources = array_map(function($source) use($scope, $allowedFieldsForAllUsers) {
+                return [$scope => array_intersect_key($source[$scope], $allowedFieldsForAllUsers)];
+            }, $sources);
+        }
        foreach ($sources as $source) {
            $sourceId = $source[$scope]['id'];

@ -583,6 +590,9 @@ class Feed extends AppModel
            // Append also exact MISP feed or server event UUID
            // TODO: This can be optimised in future to do that in one pass
            if ($sourceHasHit && ($scope === 'Server' || $source[$scope]['source_format'] === 'misp')) {
+                if (!$user['Role']['perm_site_admin'] && $user['org_id'] != Configure::read('MISP.host_org_id')) {
+                    continue;
+                }
                $pipe = $redis->pipeline();
                $eventUuidHitPosition = [];
                foreach ($hitIds as $sourceHitPos => $k) {
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -5959,6 +5959,14 @@ class Server extends AppModel
                    'type' => 'boolean',
                    'null' => true
                ),
+                'show_correlation_for_all_users' => array(
+                    'level' => 1,
+                    'description' => __('This setting will reveal correlations from other remote servers visible to all users.'),
+                    'value' => false,
+                    'test' => 'testBoolFalse',
+                    'type' => 'boolean',
+                    'null' => true
+                ),
                'redis_host' => array(
                    'level' => 0,
                    'description' => __('The host running the redis server to be used for generic MISP tasks such as caching. This is not to be confused by the redis server used by the background processing.'),
--- a/app/View/Elements/Events/View/row_attribute.ctp
+++ b/app/View/Elements/Events/View/row_attribute.ctp
@ -265,23 +265,18 @@
                            }
                            $popover .= '<span class=\'bold black\'>' . Inflector::humanize(h($k)) . '</span>: <span class="blue">' . $v . '</span><br />';
                        }
+                        if (empty($server['event_uuids'])) {
+                            $server['event_uuids'] = [0 => 1]; // Make sure to print the content once
+                        }
                        foreach ($server['event_uuids'] as $k => $event_uuid) {
                            $liContents = '';
-                            if ($isSiteAdmin) {
-                                $liContents .= sprintf(
-                                    '<a href="%s/servers/previewEvent/%s/%s" data-toggle="popover" data-content="%s" data-trigger="hover">%s</a>&nbsp;',
-                                    $baseurl,
-                                    h($server['id']),
-                                    h($event_uuid),
-                                    h($popover),
-                                    'S' . h($server['id']) . ':' . ($k + 1)
-                                );
-                            } else {
-                                $liContents .= sprintf(
-                                    '<span>%s</span>',
-                                    'S' . h($server['id']) . ':' . ($k + 1)
-                                );
-                            }
+                            $url = $isSiteAdmin ? sprintf('%s/servers/previewEvent/%s/%s', $baseurl, h($server['id']), h($event_uuid)) : '#';
+                            $liContents .= sprintf(
+                                '<a href="%s" data-toggle="popover" data-content="%s" data-trigger="hover">%s</a>&nbsp;',
+                                $url,
+                                h($popover),
+                                'S' . h($server['id']) . ':' . ($k + 1)
+                            );
                            echo "<li>$liContents</li>";
                        }
                    }
--- a/app/View/Elements/genericElements/SidePanels/Templates/relatedServers.ctp
+++ b/app/View/Elements/genericElements/SidePanels/Templates/relatedServers.ctp
@ -7,8 +7,10 @@
            }
            $relatedData = [
                'Name' => $relatedServer['name'],
-                'URL' => $relatedServer['url']
            ];
+            if (!empty($relatedServer['url'])) {
+                $relatedData['url'] = $relatedServer['url'];
+            }
            $popover = '';
            foreach ($relatedData as $k => $v) {
                $popover .= sprintf(
@ -16,17 +18,17 @@
                    h($k),
                    h($v)
                );
-                $serverHtml[] = sprintf(
-                    '<span style="white-space: nowrap; display: inline-block">%s</span>',
-                    sprintf(
-                        '<a href="%s/servers/previewIndex/%s" class="linkButton useCursorPointer" data-toggle="popover" data-content="%s" data-trigger="hover">%s</a>&nbsp;',
-                        $baseurl,
-                        h($relatedServer['id']),
-                        h($popover),
-                        h($relatedServer['name']) . ' (' . $relatedServer['id'] . ')'
-                    )
-                );
            }
+            $serverHtml[] = sprintf(
+                '<span style="white-space: nowrap; display: inline-block">%s</span>',
+                sprintf(
+                    '<a href="%s/servers/previewIndex/%s" class="linkButton useCursorPointer" data-toggle="popover" data-content="%s" data-trigger="hover">%s</a>&nbsp;',
+                    $baseurl,
+                    h($relatedServer['id']),
+                    h($popover),
+                    h($relatedServer['name']) . ' (' . $relatedServer['id'] . ')'
+                )
+            );
        }
    } else {
        $relatedData[] = __(