MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [ACL] Cryptokey add / delete key from parent received ACL checks

pull/8213/head
iglocska 2022-03-16 01:28:09 +01:00
parent 9e90513881
commit 4f706aa331
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
app/Controller/CryptographicKeysController.php
View File

@ -40,6 +40,20 @@ class CryptographicKeysController extends AppController
if (empty($type) || empty($parent_id)) {
throw new MethodNotAllowedException(__('No type and/or parent_id supplied.'));
}
if ($type === 'Event') {
$existingEvent = $this->CryptographicKey->Event->fetchSimpleEvent(
$this->Auth->user(),
$parent_id,
[
'conditions' => [
'Event.orgc_id' => $this->Auth->user('org_id')
]
]
);
if (empty($existingEvent)) {
throw new MethodNotAllowedException(__('Invalid Event.'));
}
}
$params = [
'beforeSave' => function ($data) use($type, $parent_id) {
$data['CryptographicKey']['parent_type'] = $type;
@ -63,7 +77,25 @@ class CryptographicKeysController extends AppController
public function delete($id)
{
$this->CRUD->delete($id);
$user = $this->Auth->user();
$this->CRUD->delete($id, [
'beforeDelete' => function ($data) use($user) {
$parent_type = $data['CryptographicKey']['parent_type'];
$tempModel = ClassRegistry::init($parent_type);
$existingData = $tempModel->find('first', [
'conditions' => [
$parent_type . '.id' => $data['CryptographicKey']['parent_id']
],
'recursive' => -1
]);
if ($parent_type === 'Event') {
if (!$user['Role']['perm_site_admin'] && $existingData['Event']['orgc_id'] !== $user['org_id']) {
return false;
}
}
return $data;
}
]);
if ($this->IndexFilter->isRest()) {
return $this->restResponsePayload;
}