diff --git a/app/Model/Event.php b/app/Model/Event.php
index b8b5fb472..80af720e0 100755
--- a/app/Model/Event.php
+++ b/app/Model/Event.php
@@ -2077,7 +2077,10 @@ class Event extends AppModel
if ((!empty($options['includeDecayScore']) || !empty($options['includeScoresOnEvent'])) && !isset($this->DecayingModel)) {
$this->DecayingModel = ClassRegistry::init('DecayingModel');
}
- if ($options['includeServerCorrelations'] && !$isSiteAdmin && $user['org_id'] != Configure::read('MISP.host_org_id')) {
+ if (
+ $options['includeServerCorrelations'] &&
+ (!$isSiteAdmin && $user['org_id'] != Configure::read('MISP.host_org_id') && !Configure::read('MISP.show_correlation_for_all_users', false))
+ ) {
$options['includeServerCorrelations'] = false; // not permission to see server correlations
}
if (($options['includeFeedCorrelations'] || $options['includeServerCorrelations']) && !isset($this->Feed)) {
diff --git a/app/Model/Feed.php b/app/Model/Feed.php
index 413733880..c673522ce 100644
--- a/app/Model/Feed.php
+++ b/app/Model/Feed.php
@@ -556,6 +556,13 @@ class Feed extends AppModel
}
$sources = $this->getCachedFeedsOrServers($user, $scope);
+ if (!$user['Role']['perm_site_admin'] && $user['org_id'] != Configure::read('MISP.host_org_id')) {
+ // Filter fields that shouldn't be visible to everyone
+ $allowedFieldsForAllUsers = array_flip(['id', 'name',]);
+ $sources = array_map(function($source) use($scope, $allowedFieldsForAllUsers) {
+ return [$scope => array_intersect_key($source[$scope], $allowedFieldsForAllUsers)];
+ }, $sources);
+ }
foreach ($sources as $source) {
$sourceId = $source[$scope]['id'];
@@ -583,6 +590,9 @@ class Feed extends AppModel
// Append also exact MISP feed or server event UUID
// TODO: This can be optimised in future to do that in one pass
if ($sourceHasHit && ($scope === 'Server' || $source[$scope]['source_format'] === 'misp')) {
+ if (!$user['Role']['perm_site_admin'] && $user['org_id'] != Configure::read('MISP.host_org_id')) {
+ continue;
+ }
$pipe = $redis->pipeline();
$eventUuidHitPosition = [];
foreach ($hitIds as $sourceHitPos => $k) {
diff --git a/app/Model/Server.php b/app/Model/Server.php
index 61af3a9e4..562980abe 100644
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@@ -5959,6 +5959,14 @@ class Server extends AppModel
'type' => 'boolean',
'null' => true
),
+ 'show_correlation_for_all_users' => array(
+ 'level' => 1,
+ 'description' => __('This setting will reveal correlations from other remote servers visible to all users.'),
+ 'value' => false,
+ 'test' => 'testBoolFalse',
+ 'type' => 'boolean',
+ 'null' => true
+ ),
'redis_host' => array(
'level' => 0,
'description' => __('The host running the redis server to be used for generic MISP tasks such as caching. This is not to be confused by the redis server used by the background processing.'),
diff --git a/app/View/Elements/Events/View/row_attribute.ctp b/app/View/Elements/Events/View/row_attribute.ctp
index 33d09fc9a..58dcd0333 100644
--- a/app/View/Elements/Events/View/row_attribute.ctp
+++ b/app/View/Elements/Events/View/row_attribute.ctp
@@ -265,23 +265,18 @@
}
$popover .= '' . Inflector::humanize(h($k)) . ': ' . $v . '
';
}
+ if (empty($server['event_uuids'])) {
+ $server['event_uuids'] = [0 => 1]; // Make sure to print the content once
+ }
foreach ($server['event_uuids'] as $k => $event_uuid) {
$liContents = '';
- if ($isSiteAdmin) {
- $liContents .= sprintf(
- '%s ',
- $baseurl,
- h($server['id']),
- h($event_uuid),
- h($popover),
- 'S' . h($server['id']) . ':' . ($k + 1)
- );
- } else {
- $liContents .= sprintf(
- '%s',
- 'S' . h($server['id']) . ':' . ($k + 1)
- );
- }
+ $url = $isSiteAdmin ? sprintf('%s/servers/previewEvent/%s/%s', $baseurl, h($server['id']), h($event_uuid)) : '#';
+ $liContents .= sprintf(
+ '%s ',
+ $url,
+ h($popover),
+ 'S' . h($server['id']) . ':' . ($k + 1)
+ );
echo "