MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [acl] Event graph

pull/8710/head
Jakub Onderka 2022-10-26 13:39:30 +02:00
parent 6461d7c8cd
commit 5299f50e20
2 changed files with 20 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
app/Controller/EventGraphController.php
View File

@ -10,11 +10,6 @@ class EventGraphController extends AppController
'RequestHandler'
);
public function beforeFilter()
{
parent::beforeFilter();
}
public function view($event_id = false, $graph_id = null)
{
if ($event_id === false) {
@ -75,18 +70,20 @@ class EventGraphController extends AppController
if (empty($eventGraph)) {
throw new MethodNotAllowedException('Invalid event graph');
}
$eventGraph = $eventGraph;
$imageData = $this->EventGraph->getPictureData($eventGraph);
return new CakeResponse(array('body' => $imageData, 'type' => 'png'));
}
public function add($event_id = false)
{
if (empty($event_id)) {
throw new MethodNotAllowedException(__('No event ID set.'));
}
if ($this->request->is('get')) {
if ($this->_isRest()) {
return $this->RestResponse->describe('EventGraph', 'add', false, $this->response->type());
}
$formURL = 'eventGraph_add_form';
if (!$this->_isSiteAdmin() && (!$this->userRole['perm_modify'] && !$this->userRole['perm_modify_org'])) {
throw new NotFoundException(__('Invalid event'));
@ -94,30 +91,30 @@ class EventGraphController extends AppController
$this->set('action', 'add');
$this->set('event_id', $event_id);
$this->render('ajax/' . $formURL);
$this->render('ajax/eventGraph_add_form');
} else {
if (empty($event_id)) {
throw new MethodNotAllowedException(__('No event ID set.'));
}
$this->loadModel('Event');
$event = $this->Event->fetchSimpleEvent($this->Auth->user(), $event_id);
if (empty($event)) {
throw new NotFoundException('Invalid event');
}
$eventGraph = array();
if (!$this->_isSiteAdmin() && ($event['Event']['orgc_id'] != $this->Auth->user('org_id') && !$this->userRole['perm_modify'])) {
throw new UnauthorizedException(__('You do not have permission to do that.'));
} else {
$eventGraph['EventGraph']['event_id'] = $event['Event']['id'];
if (!$this->ACL->canModifyEvent($this->Auth->user(), $event)) {
throw new ForbiddenException(__('You do not have permission to do that.'));
}
if (!isset($this->request->data['EventGraph']['network_json'])) {
throw new MethodNotAllowedException('No network data set');
} else {
$eventGraph['EventGraph']['network_json'] = $this->request->data['EventGraph']['network_json'];
}
if (!JsonTool::isValid($this->request->data['EventGraph']['network_json'])) {
throw new MethodNotAllowedException('Network data is not valid JSON.');
}
$eventGraph = ['EventGraph' => [
'event_id' => $event['Event']['id'],
'network_json' => $this->request->data['EventGraph']['network_json'],
'user_id' => $this->Auth->user('id'),
'org_id' => $this->Auth->user('org_id'),
]];
if (!isset($this->request->data['EventGraph']['network_name'])) {
$eventGraph['EventGraph']['network_name'] = null;
} else {
@ -128,10 +125,6 @@ class EventGraphController extends AppController
$eventGraph['EventGraph']['preview_img'] = $this->request->data['EventGraph']['preview_img'];
}
// Network pushed will be the owner of the authentication key
$eventGraph['EventGraph']['user_id'] = $this->Auth->user('id');
$eventGraph['EventGraph']['org_id'] = $this->Auth->user('org_id');
$result = $this->EventGraph->save(
$eventGraph,
true,

5
app/Model/EventGraph.php
View File

@ -1,5 +1,6 @@
<?php
App::uses('AppModel', 'Model');
class EventGraph extends AppModel
{
public $useTable = 'event_graph';
@ -27,7 +28,6 @@ class EventGraph extends AppModel
)
);
public $validate = array(
'network_json' => array(
'rule' => 'valueIsJson',
@ -39,8 +39,7 @@ class EventGraph extends AppModel
public function beforeValidate($options = array())
{
parent::beforeValidate();
$date = new DateTime();
$this->data['EventGraph']['timestamp'] = $date->getTimestamp();
$this->data['EventGraph']['timestamp'] = time();
return true;
}