From 260f75d8c38f2ce8a95e3b6d869e5cfe9b83244b Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <sami.mokaddem@circl.lu>
Date: Wed, 12 Dec 2018 11:16:00 +0100
Subject: [PATCH] fix: [upload_analysis_file] Prevent object creation on
 non-existing events

---
 app/Controller/EventsController.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php
index afeba1d70..c9246e078 100644
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@@ -5159,6 +5159,20 @@ class EventsController extends AppController
 
         //$result = $this->Event->upload_mactime($this->Auth->user(), );
         } elseif ($this->request->is('post') && $this->request['data']['SelectedData']['mactime_data']) {
+            // Find the event that is to be updated
+            if (Validation::uuid($eventId)) {
+                $eventFindParams['conditions']['Event.uuid'] = $eventId;
+            } elseif (is_numeric($eventId)) {
+                $eventFindParams['conditions']['Event.id'] = $eventId;
+            } else {
+                throw new NotFoundException(__('Invalid event.'));
+            }
+            $event = $this->Event->find('first', $eventFindParams);
+            if (empty($event) || (!$this->_isSiteAdmin() &&	$event['Event']['orgc_id'] != $this->Auth->user('org_id'))) {
+                throw new NotFoundException(__('Invalid event.'));
+            }
+            $eventId = $event['Event']['id'];
+
             $fileName = $this->request['data']['SelectedData']['mactime_file_name'];
             $fileData = $this->request['data']['SelectedData']['mactime_file_content'];
             $object = array();