From 32962184fa5d8fad0e7c25c18cdd29bb3744b2f7 Mon Sep 17 00:00:00 2001
From: Patrizio Tufarolo <patriziotufarolo@users.noreply.github.com>
Date: Tue, 8 Jan 2019 12:47:45 +0100
Subject: [PATCH] fix: check also event.org_id when validating event ownership
 in order to fetch attributes

Fixes #1918
---
 app/Model/Attribute.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php
index 235171f6a..b017b4d99 100644
--- a/app/Model/Attribute.php
+++ b/app/Model/Attribute.php
@@ -2898,7 +2898,7 @@ class Attribute extends AppModel
             $params['group'] = empty($options['group']) ? $options['group'] : false;
         }
         if (Configure::read('MISP.unpublishedprivate')) {
-            $params['conditions']['AND'][] = array('OR' => array('Event.published' => 1, 'Event.orgc_id' => $user['org_id']));
+            $params['conditions']['AND'][] = array('OR' => array('Event.published' => 1, 'Event.orgc_id' => $user['org_id'], 'Event.org_id' => $user['org_id']));
         }
         if (!empty($options['list'])) {
             if (!empty($options['event_ids'])) {