diff --git a/app/Controller/SharingGroupsController.php b/app/Controller/SharingGroupsController.php index 9b5184fcb..329d39275 100644 --- a/app/Controller/SharingGroupsController.php +++ b/app/Controller/SharingGroupsController.php @@ -41,9 +41,8 @@ class SharingGroupsController extends AppController public function add() { - if (!$this->userRole['perm_sharing_group']) { - throw new MethodNotAllowedException('You don\'t have the required privileges to do that.'); - } + $canModifyUuid = $this->Auth->user()['Role']['perm_site_admin']; + if ($this->request->is('post')) { if ($this->_isRest()) { if (isset($this->request->data['SharingGroup'])) { @@ -79,6 +78,9 @@ class SharingGroupsController extends AppController } } $this->SharingGroup->create(); + if (!$canModifyUuid) { + unset($sg['uuid']); + } $sg['active'] = $sg['active'] ? 1: 0; $sg['roaming'] = $sg['roaming'] ? 1: 0; $sg['organisation_uuid'] = $this->Auth->user('Organisation')['uuid']; @@ -124,23 +126,15 @@ class SharingGroupsController extends AppController } elseif ($this->_isRest()) { return $this->RestResponse->describe('SharingGroup', 'add', false, $this->response->type()); } - - $orgs = $this->SharingGroup->Organisation->find('all', array( - 'conditions' => array('local' => 1), - 'recursive' => -1, - 'fields' => array('id', 'name', 'uuid') - )); - $this->set('orgs', $orgs); + $this->set('localInstance', empty(Configure::read('MISP.external_baseurl')) ? Configure::read('MISP.baseurl') : Configure::read('MISP.external_baseurl')); // We just pass true and allow the user to edit, since he/she is just about to create the SG. This is needed to reuse the view for the edit $this->set('user', $this->Auth->user()); + $this->set('canModifyUuid', $canModifyUuid); } public function edit($id = false) { - if (!$this->userRole['perm_sharing_group']) { - throw new MethodNotAllowedException('You don\'t have the required privileges to do that.'); - } if (empty($id)) { throw new NotFoundException('Invalid sharing group.'); } @@ -163,6 +157,10 @@ class SharingGroupsController extends AppController ), ), )); + if (empty($sharingGroup)) { + throw new NotFoundException('Invalid sharing group.'); + } + if (!$this->SharingGroup->checkIfAuthorisedExtend($this->Auth->user(), $sharingGroup['SharingGroup']['id'])) { throw new MethodNotAllowedException('Action not allowed.'); } diff --git a/app/Model/SharingGroup.php b/app/Model/SharingGroup.php index 8c90467bc..68a235af3 100644 --- a/app/Model/SharingGroup.php +++ b/app/Model/SharingGroup.php @@ -306,14 +306,19 @@ class SharingGroup extends AppModel return $sharingGroups; } - // Who can create a new sharing group with the elements pre-defined (via REST for example)? - // 1. site admins - // 2. Sharing group enabled users - // a. as long as they are creator or extender of the SG object - // 3. Sync users - // a. as long as they are at least users of the SG (they can circumvent the extend rule to - // avoid situations where no one can create / edit an SG on an instance after a push) - public function checkIfAuthorisedToSave($user, $sg) + /** + * Who can create a new sharing group with the elements pre-defined (via REST for example)? + * 1. site admins + * 2. Sharing group enabled users + * a. as long as they are creator or extender of the SG object + * 3. Sync users + * a. as long as they are at least users of the SG (they can circumvent the extend rule to + * avoid situations where no one can create / edit an SG on an instance after a push) + * @param array $user + * @param array $sg + * @return bool + */ + private function checkIfAuthorisedToSave(array $user, array $sg) { if (isset($sg[0])) { $sg = $sg[0]; @@ -379,7 +384,7 @@ class SharingGroup extends AppModel // a. Belong to the organisation that created the SG // b. Have an organisation entry in the SG with the extend flag set // 3. Sync users that have synced the SG to the local instance - public function checkIfAuthorisedExtend($user, $id) + public function checkIfAuthorisedExtend(array $user, $id) { if ($user['Role']['perm_site_admin']) { return true; @@ -644,15 +649,16 @@ class SharingGroup extends AppModel } } - /* + /** * Capture a new sharing group, rather than update an existing one * * @param array $user * @param array $sg - * @param boolean syncLocal - * @return int || false + * @param boolean $syncLocal + * @return int|false + * @throws Exception */ - private function captureSGNew($user, $sg, $syncLocal) + private function captureSGNew(array $user, array $sg, $syncLocal) { // check if current user is contained in the SG and we are in a local sync setup if (!empty($sg['uuid'])) { @@ -666,7 +672,7 @@ class SharingGroup extends AppModel $authorisedToSave = $this->checkIfAuthorisedToSave($user, $sg); } if (!$user['Role']['perm_site_admin'] && - !($user['Role']['perm_sync'] && $syncLocal ) && + !($user['Role']['perm_sync'] && $syncLocal) && !$authorisedToSave ) { $this->loadLog()->createLogEntry($user, 'error', 'SharingGroup', 0, "Tried to save a sharing group with UUID '{$sg['uuid']}' but the user does not belong to it."); diff --git a/app/View/SharingGroups/add.ctp b/app/View/SharingGroups/add.ctp index b3ec48e3d..aa3efc9f2 100644 --- a/app/View/SharingGroups/add.ctp +++ b/app/View/SharingGroups/add.ctp @@ -48,6 +48,10 @@ } ?>
+ + + + diff --git a/app/webroot/js/misp.js b/app/webroot/js/misp.js index 5f77693dd..1c1d49a14 100644 --- a/app/webroot/js/misp.js +++ b/app/webroot/js/misp.js @@ -3204,15 +3204,16 @@ function cancelPicklistValues() { function sgSubmitForm(action) { var ajax = { - 'organisations': organisations, - 'servers': servers, - 'sharingGroup': { - 'name': $('#SharingGroupName').val(), - 'releasability': $('#SharingGroupReleasability').val(), - 'description': $('#SharingGroupDescription').val(), - 'active': $('#SharingGroupActive').is(":checked"), - 'roaming': $('#SharingGroupRoaming').is(":checked"), - } + 'organisations': organisations, + 'servers': servers, + 'sharingGroup': { + 'uuid': $('#SharingGroupUuid').val(), + 'name': $('#SharingGroupName').val(), + 'releasability': $('#SharingGroupReleasability').val(), + 'description': $('#SharingGroupDescription').val(), + 'active': $('#SharingGroupActive').is(":checked"), + 'roaming': $('#SharingGroupRoaming').is(":checked"), + } }; $('#SharingGroupJson').val(JSON.stringify(ajax)); var formName = "#SharingGroup" + action + "Form"; @@ -3274,6 +3275,7 @@ function sharingGroupPopulateFromJson() { } $('#SharingGroupName').attr('value', jsonparsed.sharingGroup.name); $('#SharingGroupReleasability').attr('value', jsonparsed.sharingGroup.releasability); + $('#SharingGroupUuid').attr('value', jsonparsed.sharingGroup.uuid); $('#SharingGroupDescription').text(jsonparsed.sharingGroup.description); }