From 5eb6a89384b5127f4971092d3811a6037f0ed71b Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 8 Jun 2012 16:57:10 +0200 Subject: [PATCH] removed reference to useless user_id. fixed bug where Contact reporter doesn't work when user does not exist (contact reporter now sends mails to all the org) --- app/Controller/AppController.php | 2 + app/Controller/EventsController.php | 94 ++++++++++++++++------------- app/MYSQL.txt | 2 +- app/Model/Event.php | 29 +++------ app/Model/User.php | 21 ------- app/View/Events/xml/index.ctp | 4 +- app/View/Events/xml/view.ctp | 1 - 7 files changed, 65 insertions(+), 88 deletions(-) diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 15a88d9b0..18884e956 100644 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -20,6 +20,8 @@ * @license MIT License (http://www.opensource.org/licenses/mit-license.php) */ +// TODO GPG encryption has issues when keys are expired + App::uses('Controller', 'Controller'); App::uses('Sanitize', 'Utility'); diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 675a4abb2..9a2848bb9 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -168,7 +168,6 @@ class EventsController extends AppController { */ public function _add(&$data, &$auth, $fromXml) { // force check userid and orgname to be from yourself - $data['Event']['user_id'] = $auth->user('id'); $data['Event']['org'] = $auth->user('org'); unset ($data['Event']['id']); $this->Event->create(); @@ -192,7 +191,7 @@ class EventsController extends AppController { } $fieldList = array( - 'Event' => array('org', 'date', 'risk', 'info', 'user_id', 'published', 'uuid', 'private'), + 'Event' => array('org', 'date', 'risk', 'info', 'published', 'uuid', 'private'), 'Attribute' => array('event_id', 'category', 'type', 'value', 'value1', 'value2', 'to_ids', 'uuid', 'revision', 'private') ); // this saveAssociated() function will save not only the event, but also the attributes @@ -229,14 +228,10 @@ class EventsController extends AppController { } // say what fields are to be updated - $fieldList=array('user_id', 'date', 'risk', 'info', 'published', 'private'); - // always force the user and org, but do not force it for admins - if (!$this->_isAdmin()) { - $this->request->data['Event']['user_id'] = $this->Auth->user('id'); - - } else { - $this->Event->read(); - $this->request->data['Event']['user_id'] = $this->Event->data['Event']['user_id']; + $fieldList=array('date', 'risk', 'info', 'published', 'private'); + // always force the org, but do not force it for admins + if ($this->_isAdmin()) { + $this->Event->read(); // FIXME URGENT this should be deleted? delete and test $fieldList[]='org'; $this->request->data['Event']['org'] = $this->Event->data['Event']['org']; } @@ -533,18 +528,19 @@ class EventsController extends AppController { /** * - * Sends out an email with the request to be contacted about a specific event. + * Sends out an email to all people within the same group + * with the request to be contacted about a specific event. * @todo move _sendContactEmail($id, $message) to a better place. (components?) - * FIXME this _sendContactEmail() gives bugs when a user is deleted. Maybe we should send emails to everyone? * - * @param unknown_type $id The id of the event for wich you want to contact the person. + * @param unknown_type $id The id of the event for wich you want to contact the org. * @param unknown_type $message The custom message that will be appended to the email. * @return True if success, False if error */ private function _sendContactEmail($id, $message) { // fetch the event - $event = $this->Event->read(null, $id); - $reporter = $event['User']; // email, gpgkey + $event = $this->Event->read(null, $id); + $this->loadModel('User'); + $org_members = $this->User->findAllByOrg($event['Event']['org'], array('email', 'gpgkey')); // The mail body, h() is NOT needed as we are sending plain-text mails. $body = ""; @@ -600,30 +596,8 @@ class EventsController extends AppController { $gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'))); $gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password')); $body_signed = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR); - - if (!empty($reporter['gpgkey'])) { - // import the key of the user into the keyring - // this isn't really necessary, but it gives it the fingerprint necessary for the next step - $key_import_output = $gpg->importKey($reporter['gpgkey']); - // say what key should be used to encrypt - $gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'))); - $gpg->addEncryptKey($key_import_output['fingerprint']); // use the key that was given in the import - - $body_enc_sig = $gpg->encrypt($body_signed, true); - } else { - $body_enc_sig = $body_signed; - // FIXME should I allow sending unencrypted "contact" mails to people if they didn't import they GPG key? - } - - // prepare the email - $this->Email->from = Configure::read('CyDefSIG.email'); - $this->Email->to = $reporter['email']; - $this->Email->subject = "[CyDefSIG] Need info about event ".$id." - TLP Amber"; - //$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen - $this->Email->template = 'body'; - $this->Email->sendAs = 'text'; // both text or html - $this->set('body', $body_enc_sig); - + + // Add the GPG key of the user as attachment // LATER sign the attached GPG key if (!empty($me_user['gpgkey'])) { @@ -637,9 +611,45 @@ class EventsController extends AppController { 'gpgkey.asc' => $tmpfname ); } + + foreach ($org_members as $reporter) { + if (!empty($reporter['User']['gpgkey'])) { + // import the key of the user into the keyring + // this isn't really necessary, but it gives it the fingerprint necessary for the next step + $key_import_output = $gpg->importKey($reporter['User']['gpgkey']); + // say what key should be used to encrypt + $gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'))); + $gpg->addEncryptKey($key_import_output['fingerprint']); // use the key that was given in the import - // send it - $result = $this->Email->send(); + $body_enc_sig = $gpg->encrypt($body_signed, true); + } else { + $body_enc_sig = $body_signed; + // FIXME should I allow sending unencrypted "contact" mails to people if they didn't import they GPG key? + } + + // prepare the email + $this->Email->from = Configure::read('CyDefSIG.email'); + $this->Email->to = $reporter['User']['email']; + $this->Email->subject = "[CyDefSIG] Need info about event ".$id." - TLP Amber"; + //$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen + $this->Email->template = 'body'; + $this->Email->sendAs = 'text'; // both text or html + $this->set('body', $body_enc_sig); + // Add the GPG key of the user as attachment + // LATER sign the attached GPG key + if (!empty($me_user['gpgkey'])) { + // attach the gpg key + $this->Email->attachments = array( + 'gpgkey.asc' => $tmpfname + ); + } + // send it + $result = $this->Email->send(); + // If you wish to send multiple emails using a loop, you'll need + // to reset the email fields using the reset method of the Email component. + $this->Email->reset(); + + } // remove the temporary gpg file if (!empty($me_user['gpgkey'])) @@ -680,7 +690,7 @@ class EventsController extends AppController { } else { $conditions = array(); } - // do not expose all the data like user_id, ... + // do not expose all the data ... $fields = array('Event.id', 'Event.date', 'Event.risk', 'Event.info', 'Event.published', 'Event.uuid'); if ('true' == Configure::read('CyDefSIG.showorg')) { $fields[] = 'Event.org'; diff --git a/app/MYSQL.txt b/app/MYSQL.txt index 4d7a9b2cc..aaa984d84 100644 --- a/app/MYSQL.txt +++ b/app/MYSQL.txt @@ -47,9 +47,9 @@ CREATE TABLE `events` ( `date` date NOT NULL, `risk` enum('Undefined','Low','Medium','High') COLLATE utf8_bin NOT NULL, `info` text CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL, - `user_id` int(11) NOT NULL, `published` tinyint(1) NOT NULL DEFAULT '0', `uuid` varchar(40) COLLATE utf8_bin NOT NULL, + `revision` int(11) NOT NULL DEFAULT '0', `private` tinyint(1) NOT NULL, PRIMARY KEY (`id`), KEY `uuid` (`uuid`), diff --git a/app/Model/Event.php b/app/Model/Event.php index 6d4523a86..bc1d7a87d 100644 --- a/app/Model/Event.php +++ b/app/Model/Event.php @@ -69,16 +69,6 @@ class Event extends AppModel { //'on' => 'create', // Limit validation to 'create' or 'update' operations ), ), - 'user_id' => array( - 'numeric' => array( - 'rule' => array('numeric'), - //'message' => 'Your custom message here', - //'allowEmpty' => false, - //'required' => false, - //'last' => false, // Stop validation after this rule - //'on' => 'create', // Limit validation to 'create' or 'update' operations - ), - ), 'published' => array( 'boolean' => array( 'rule' => array('boolean'), @@ -126,15 +116,15 @@ class Event extends AppModel { * * @var array */ - public $belongsTo = array( - 'User' => array( - 'className' => 'User', - 'foreignKey' => 'user_id', - 'conditions' => '', - 'fields' => '', - 'order' => '' - ) - ); +// public $belongsTo = array( +// 'Org' => array( +// 'className' => 'Org', +// 'foreignKey' => 'org', +// 'conditions' => '', +// 'fields' => '', +// 'order' => '' +// ) +// ); /** * hasMany associations @@ -258,7 +248,6 @@ class Event extends AppModel { unset($event['Attribute']); // cleanup the array from things we do not want to expose - unset($event['Event']['user_id']); unset($event['Event']['org']); // remove value1 and value2 from the output foreach($event['Event']['Attribute'] as $key => $attribute) { diff --git a/app/Model/User.php b/app/Model/User.php index d482f088c..98bef3c3b 100644 --- a/app/Model/User.php +++ b/app/Model/User.php @@ -155,27 +155,6 @@ class User extends AppModel { //The Associations below have been created with all possible keys, those that are not needed can be removed -/** - * hasMany associations - * - * @var array - */ - public $hasMany = array( - 'Event' => array( - 'className' => 'Event', - 'foreignKey' => 'user_id', - 'dependent' => false, - 'conditions' => '', - 'fields' => '', - 'order' => '', - 'limit' => '', - 'offset' => '', - 'exclusive' => '', - 'finderQuery' => '', - 'counterQuery' => '' - ) - ); - public function beforeSave() { if (isset($this->data[$this->alias]['password'])) { diff --git a/app/View/Events/xml/index.ctp b/app/View/Events/xml/index.ctp index 623727f70..710415424 100644 --- a/app/View/Events/xml/index.ctp +++ b/app/View/Events/xml/index.ctp @@ -5,10 +5,8 @@ foreach ($events as $key => $event) { // rearrange things to be compatible with the Xml::fromArray() $events[$key] = $events[$key]['Event']; - // cleanup the array from things we do not want to expose - unset($events[$key]['User']); + // cleanup the array from things we do not want to expose unset($events[$key]['Event']); - unset($events[$key]['user_id']); // hide the private field is we are not in sync mode if ('true' != Configure::read('CyDefSIG.sync')) { unset($events[$key]['private']); diff --git a/app/View/Events/xml/view.ctp b/app/View/Events/xml/view.ctp index 4c018f2b0..8ba927617 100755 --- a/app/View/Events/xml/view.ctp +++ b/app/View/Events/xml/view.ctp @@ -5,7 +5,6 @@ $event['Event']['Attribute'] = $event['Attribute']; unset($event['Attribute']); // cleanup the array from things we do not want to expose -unset($event['Event']['user_id']); // remove value1 and value2 from the output foreach($event['Event']['Attribute'] as $key => $value) { unset($event['Event']['Attribute'][$key]['value1']);