mirror of https://github.com/MISP/MISP
Merge pull request #6093 from JakubOnderka/shadow-attribute-unused
fix: [security] Remove ShadowAttributesController::{fetchEditForm,editField}pull/6095/head
commit
64195c418a
|
@ -437,8 +437,6 @@ class ACLComponent extends Component
|
|||
'discardSelected' => array('perm_add'),
|
||||
'download' => array('*'),
|
||||
'edit' => array('perm_add'),
|
||||
'editField' => array('perm_add'),
|
||||
'fetchEditForm' => array('perm_add'),
|
||||
'generateCorrelation' => array(),
|
||||
'getProposalsByUuid' => array('perm_sync'),
|
||||
'getProposalsByUuidList' => array('perm_sync'),
|
||||
|
|
|
@ -1046,111 +1046,6 @@ class ShadowAttributesController extends AppController
|
|||
return $this->RestResponse->viewData(array());
|
||||
}
|
||||
|
||||
public function fetchEditForm($id, $field = null)
|
||||
{
|
||||
$validFields = array('value', 'comment', 'type', 'category', 'to_ids');
|
||||
if (!isset($field) || !in_array($field, $validFields)) {
|
||||
throw new MethodNotAllowedException(__('Invalid field requested.'));
|
||||
}
|
||||
$this->loadModel('Attribute');
|
||||
$this->Attribute->id = $id;
|
||||
if (!$this->Attribute->exists()) {
|
||||
throw new NotFoundException(__('Invalid attribute'));
|
||||
}
|
||||
|
||||
$fields = array('id', 'distribution', 'event_id');
|
||||
if ($field == 'category' || $field == 'type') {
|
||||
$fields[] = 'type';
|
||||
$fields[] = 'category';
|
||||
} else {
|
||||
$fields[] = $field;
|
||||
}
|
||||
$attribute = $this->Attribute->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('Attribute.id' => $id),
|
||||
'fields' => $fields,
|
||||
'contain' => array(
|
||||
'Event' => array(
|
||||
'fields' => array('distribution', 'id', 'user_id', 'orgc_id', 'org_id'),
|
||||
)
|
||||
)
|
||||
));
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
if ($attribute['Event']['orgc_id'] != $this->Auth->user('org_id') && ($attribute['Event']['org_id'] == $this->Auth->user('org_id') || $attribute['Event']['distribution'] > 0)) {
|
||||
// Allow the edit
|
||||
} else {
|
||||
throw new NotFoundException(__('Invalid attribute'));
|
||||
}
|
||||
}
|
||||
$this->layout = 'ajax';
|
||||
if ($field == 'distribution') {
|
||||
$this->set('distributionLevels', $this->Attribute->distributionLevels);
|
||||
}
|
||||
if ($field == 'category') {
|
||||
$typeCategory = array();
|
||||
foreach ($this->Attribute->categoryDefinitions as $k => $category) {
|
||||
foreach ($category['types'] as $type) {
|
||||
$typeCategory[$type][] = $k;
|
||||
}
|
||||
}
|
||||
$this->set('typeCategory', $typeCategory);
|
||||
}
|
||||
if ($field == 'type') {
|
||||
$this->set('categoryDefinitions', $this->Attribute->categoryDefinitions);
|
||||
}
|
||||
$this->set('object', $attribute['Attribute']);
|
||||
$fieldURL = ucfirst($field);
|
||||
$this->render('ajax/attributeEdit' . $fieldURL . 'Form');
|
||||
}
|
||||
|
||||
// ajax edit - post a single edited field and this method will attempt to create a proposal and return a json with the validation errors if they occur.
|
||||
public function editField($id)
|
||||
{
|
||||
if ((!$this->request->is('post') && !$this->request->is('put')) || !$this->request->is('ajax')) {
|
||||
throw new MethodNotAllowedException();
|
||||
}
|
||||
$this->loadModel('Attribute');
|
||||
$this->Attribute->id = $id;
|
||||
if (!$this->Attribute->exists()) {
|
||||
throw new NotFoundException(__('Invalid attribute'));
|
||||
}
|
||||
$this->Attribute->recursive = -1;
|
||||
$this->Attribute->contain('Event');
|
||||
$attribute = $this->Attribute->read();
|
||||
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
if ($attribute['Event']['orgc_id'] != $this->Auth->user('org_id') && ($attribute['Event']['org_id'] == $this->Auth->user('org_id') || $attribute['Event']['distribution'] > 0)) {
|
||||
// Allow the edit
|
||||
} else {
|
||||
throw new NotFoundException(__('Invalid attribute'));
|
||||
}
|
||||
}
|
||||
|
||||
$keys = array_flip(array('uuid', 'event_id', 'value', 'type', 'category', 'to_ids', 'first_seen', 'last_seen'));
|
||||
|
||||
$proposal = array_intersect_key($attribute['Attribute'], $keys);
|
||||
$proposal['email'] = $this->Auth->user('email');
|
||||
$proposal['org_id'] = $this->Auth->user('org_id');
|
||||
$proposal['event_uuid'] = $attribute['Event']['uuid'];
|
||||
$proposal['event_org_id'] = $attribute['Event']['orgc_id'];
|
||||
$proposal['old_id'] = $attribute['Attribute']['id'];
|
||||
foreach ($this->request->data['ShadowAttribute'] as $changedKey => $changedField) {
|
||||
if ($proposal[$changedKey] == $changedField) {
|
||||
$this->autoRender = false;
|
||||
return new CakeResponse(array('body'=> json_encode('nochange'), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
$proposal[$changedKey] = $changedField;
|
||||
}
|
||||
|
||||
if ($this->ShadowAttribute->save($proposal)) {
|
||||
$this->autoRender = false;
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => true)), 'status'=>200, 'type' => 'json'));
|
||||
} else {
|
||||
$this->autoRender = false;
|
||||
return new CakeResponse(array('body'=> json_encode(array('fail' => false, 'errors' => $this->ShadowAttribute->validationErrors)), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
}
|
||||
|
||||
public function discardSelected($id)
|
||||
{
|
||||
if (!$this->request->is('post') || !$this->request->is('ajax')) {
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
<?php
|
||||
echo $this->Form->create('ShadowAttribute', array('class' => 'inline-form inline-field-form', 'id' => 'ShadowAttribute_' . $object['id'] . '_category_form', 'url' => '/shadow_attributes/editField/' . $object['id']));
|
||||
?>
|
||||
<div class='inline-input inline-input-container'>
|
||||
<div class="inline-input-accept inline-input-button inline-input-passive"><span class = "icon-ok" title="<?php echo __('Accept');?>" role="button" tabindex="0" aria-label="<?php echo __('Accept');?>"></span></div>
|
||||
<div class="inline-input-decline inline-input-button inline-input-passive"><span class = "icon-remove" title="<?php echo __('Discard');?>" role="button" tabindex="0" aria-label="<?php echo __('Discard');?>"></span></div>
|
||||
<?php
|
||||
echo $this->Form->input('category', array(
|
||||
'options' => array(array_combine($typeCategory[$object['type']], $typeCategory[$object['type']])),
|
||||
'label' => false,
|
||||
'selected' => $object['category'],
|
||||
'error' => array('escape' => false),
|
||||
'class' => 'inline-input',
|
||||
'id' => 'ShadowAttribute_' . $object['id'] . '_category_field',
|
||||
'div' => false
|
||||
));
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
</div>
|
|
@ -1,22 +0,0 @@
|
|||
<?php
|
||||
echo $this->Form->create('ShadowAttribute', array('class' => 'inline-form inline-field-form', 'id' => 'ShadowAttribute_' . $object['id'] . '_comment_form', 'url' => '/shadow_attributes/editField/' . $object['id']));
|
||||
?>
|
||||
<div class='inline-input inline-input-container'>
|
||||
<div class="inline-input-accept inline-input-button inline-input-passive"><span class = "icon-ok" title="<?php echo __('Accept');?>" role="button" tabindex="0" aria-label="<?php echo __('Accept');?>"></span></div>
|
||||
<div class="inline-input-decline inline-input-button inline-input-passive"><span class = "icon-remove" title="<?php echo __('Discard');?>" role="button" tabindex="0" aria-label="<?php echo __('Discard');?>"></span></div>
|
||||
<?php
|
||||
echo $this->Form->input('comment', array(
|
||||
'type' => 'textarea',
|
||||
'label' => false,
|
||||
'value' => $object['comment'],
|
||||
'error' => array('escape' => false),
|
||||
'class' => 'inline-input',
|
||||
'id' => 'ShadowAttribute' . '_' . $object['id'] . '_comment_field',
|
||||
'div' => false
|
||||
));
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
echo $this->Form->end();
|
||||
?>
|
|
@ -1,20 +0,0 @@
|
|||
<?php
|
||||
echo $this->Form->create('ShadowAttribute', array('class' => 'inline-form inline-field-form', 'id' => 'Attribute' . '_' . $object['id'] . '_to_ids_form', 'url' => '/shadow_attributes/editField/' . $object['id']));
|
||||
?>
|
||||
<div class='inline-input inline-input-container'>
|
||||
<div class="inline-input-accept inline-input-button inline-input-passive"><span class = "icon-ok" title="<?php echo __('Accept');?>" role="button" tabindex="0" aria-label="<?php echo __('Accept');?>"></span></div>
|
||||
<div class="inline-input-decline inline-input-button inline-input-passive"><span class = "icon-remove" title="<?php echo __('Discard');?>" role="button" tabindex="0" aria-label="<?php echo __('Discard');?>"></span></div>
|
||||
<?php
|
||||
$current = 0;
|
||||
if ($object['to_ids']) $current = 1;
|
||||
echo $this->Form->input('to_ids', array(
|
||||
'options' => array(0 => 'No', 1 => 'Yes'),
|
||||
'label' => false,
|
||||
'selected' => $current,
|
||||
'class' => 'inline-input',
|
||||
'id' => 'ShadowAttribute' . '_' . $object['id'] . '_to_ids_field',
|
||||
'div' => false
|
||||
));
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
</div>
|
|
@ -1,19 +0,0 @@
|
|||
<?php
|
||||
echo $this->Form->create('ShadowAttribute', array('class' => 'inline-form inline-field-form', 'id' => 'ShadowAttribute_' . $object['id'] . '_type_form', 'url' => '/shadow_attributes/editField/' . $object['id']));
|
||||
?>
|
||||
<div class='inline-input inline-input-container'>
|
||||
<div class="inline-input-accept inline-input-button inline-input-passive"><span class = "icon-ok" title="<?php echo __('Accept');?>" role="button" tabindex="0" aria-label="<?php echo __('Accept');?>"></span></div>
|
||||
<div class="inline-input-decline inline-input-button inline-input-passive"><span class = "icon-remove" title="<?php echo __('Discard');?>" role="button" tabindex="0" aria-label="<?php echo __('Discard');?>"></span></div>
|
||||
<?php
|
||||
echo $this->Form->input('type', array(
|
||||
'options' => array(array_combine($categoryDefinitions[$object['category']]['types'], $categoryDefinitions[$object['category']]['types'])),
|
||||
'label' => false,
|
||||
'selected' => $object['type'],
|
||||
'error' => array('escape' => false),
|
||||
'class' => 'inline-input',
|
||||
'id' => 'ShadowAttribute_' . $object['id'] . '_type_field',
|
||||
'div' => false
|
||||
));
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
</div>
|
|
@ -1,21 +0,0 @@
|
|||
<?php
|
||||
echo $this->Form->create('ShadowAttribute', array('class' => 'inline-form inline-field-form', 'id' => 'ShadowAttribute_' . $object['id'] . '_value_form', 'url' => '/shadow_attributes/editField/' . $object['id'], 'default' => false));
|
||||
?>
|
||||
<div class='inline-input inline-input-container'>
|
||||
<div class="inline-input-accept inline-input-button inline-input-passive"><span class = "icon-ok" title="<?php echo __('Accept');?>" role="button" tabindex="0" aria-label="<?php echo __('Accept');?>"></span></div>
|
||||
<div class="inline-input-decline inline-input-button inline-input-passive"><span class = "icon-remove" title="<?php echo __('Discard');?>" role="button" tabindex="0" aria-label="<?php echo __('Discard');?>"></span></div>
|
||||
<?php
|
||||
echo $this->Form->input('value', array(
|
||||
'type' => 'textarea',
|
||||
'label' => false,
|
||||
'value' => $object['value'],
|
||||
'error' => array('escape' => false),
|
||||
'class' => 'inline-input',
|
||||
'id' => 'ShadowAttribute_' . $object['id'] . '_value_field',
|
||||
'div' => false
|
||||
));
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
echo $this->Form->end();
|
||||
?>
|
|
@ -1,132 +0,0 @@
|
|||
<div class="shadow_attributes <?php if (!isset($ajax) || !$ajax) echo 'form';?>">
|
||||
<?php echo $this->Form->create('ShadowAttribute');?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Add Proposal'); ?></legend>
|
||||
<?php
|
||||
echo $this->Form->input('id');
|
||||
echo $this->Form->input('category', array(
|
||||
'empty' => __('(choose one)'),
|
||||
'div' => 'input',
|
||||
'label' => __('Category ') . $this->element('formInfo', array('type' => 'category')),
|
||||
));
|
||||
$typeInputData = array(
|
||||
'empty' => __('(first choose category)'),
|
||||
'label' => __('Type ') . $this->element('formInfo', array('type' => 'type')),
|
||||
);
|
||||
if ($objectAttribute) {
|
||||
$typeInputData[] = 'disabled';
|
||||
}
|
||||
if (!$attachment) {
|
||||
echo $this->Form->input('type', $typeInputData);
|
||||
}
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
echo $this->Form->input('value', array(
|
||||
'type' => 'textarea',
|
||||
'error' => array('escape' => false),
|
||||
'class' => 'input-xxlarge clear'
|
||||
));
|
||||
echo $this->Form->input('comment', array(
|
||||
'type' => 'text',
|
||||
'label' => __('Contextual Comment'),
|
||||
'error' => array('escape' => false),
|
||||
'div' => 'input clear',
|
||||
'class' => 'input-xxlarge'
|
||||
));
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
echo $this->Form->input('to_ids', array(
|
||||
'label' => __('IDS Signature?'),
|
||||
));
|
||||
echo $this->Form->input('first_seen', array(
|
||||
'type' => 'text',
|
||||
'div' => 'input hidden',
|
||||
'required' => false,
|
||||
));
|
||||
echo $this->Form->input('last_seen', array(
|
||||
'type' => 'text',
|
||||
'div' => 'input hidden',
|
||||
'required' => false,
|
||||
));
|
||||
?>
|
||||
<div id="bothSeenSliderContainer"></div>
|
||||
</fieldset>
|
||||
<p style="color:red;font-weight:bold;display:none;<?php if (isset($ajax) && $ajax) echo "text-align:center;"?>" id="warning-message"><?php echo __('Warning: You are about to share data that is of a sensitive nature (Attribution / targeting data). Make sure that you are authorised to share this.');?></p>
|
||||
<?php if (isset($ajax) && $ajax): ?>
|
||||
<div class="overlay_spacing">
|
||||
<table>
|
||||
<tr>
|
||||
<td style="vertical-align:top">
|
||||
<span role="button" tabindex="0" aria-label="<?php echo __('Propose');?>" title="<?php echo __('Propose');?>" id="submitButton" class="btn btn-primary" onClick="submitPopoverForm('<?php echo $event_id;?>', 'propose')"><?php echo __('Propose');?></span>
|
||||
</td>
|
||||
<td style="width:540px;">
|
||||
<p style="color:red;font-weight:bold;display:none;<?php if (isset($ajax) && $ajax) echo "text-align:center;"?>" id="warning-message"><?php echo __('Warning: You are about to share data that is of a sensitive nature (Attribution / targeting data). Make sure that you are authorised to share this.');?></p>
|
||||
</td>
|
||||
<td style="vertical-align:top;">
|
||||
<span class="btn btn-inverse" id="cancel_attribute_add"><?php echo __('Cancel');?></span>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<?php
|
||||
else:
|
||||
echo $this->Form->button('Propose', array('class' => 'btn btn-primary'));
|
||||
endif;
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
$event['Event']['id'] = $this->request->data['ShadowAttribute']['event_id'];
|
||||
echo $this->element('/genericElements/SideMenu/side_menu', array('menuList' => 'event', 'menuItem' => 'proposeAttribute', 'event' => $event));
|
||||
|
||||
echo $this->element('form_seen_input');
|
||||
?>
|
||||
|
||||
<script type="text/javascript">
|
||||
<?php
|
||||
$formInfoTypes = array('category' => 'Category', 'type' => 'Type');
|
||||
echo 'var formInfoFields = ' . json_encode($formInfoTypes) . PHP_EOL;
|
||||
foreach ($formInfoTypes as $formInfoType => $humanisedName) {
|
||||
echo 'var ' . $formInfoType . 'FormInfoValues = {' . PHP_EOL;
|
||||
foreach ($info[$formInfoType] as $key => $formInfoData) {
|
||||
echo '"' . $key . '": "<span class=\"blue bold\">' . h($formInfoData['key']) . '</span>: ' . h($formInfoData['desc']) . '<br />",' . PHP_EOL;
|
||||
}
|
||||
echo '}' . PHP_EOL;
|
||||
}
|
||||
?>
|
||||
//
|
||||
//Generate Category / Type filtering array
|
||||
//
|
||||
var category_type_mapping = new Array();
|
||||
<?php
|
||||
foreach ($categoryDefinitions as $category => $def) {
|
||||
echo "category_type_mapping['" . addslashes($category) . "'] = {";
|
||||
$first = true;
|
||||
foreach ($def['types'] as $type) {
|
||||
if ($first) $first = false;
|
||||
else echo ', ';
|
||||
echo "'" . addslashes($type) . "' : '" . addslashes($type) . "'";
|
||||
}
|
||||
echo "}; \n";
|
||||
}
|
||||
?>
|
||||
|
||||
$(document).ready(function() {
|
||||
initPopoverContent('ShadowAttribute');
|
||||
$("#ShadowAttributeCategory").on('change', function(e) {
|
||||
formCategoryChanged('ShadowAttribute');
|
||||
if ($(this).val() === 'Attribution' || $(this).val() === 'Targeting data') {
|
||||
$("#warning-message").show();
|
||||
} else {
|
||||
$("#warning-message").hide();
|
||||
}
|
||||
});
|
||||
|
||||
$("#ShadowAttributeCategory, #ShadowAttributeType").change(function() {
|
||||
initPopoverContent('ShadowAttribute');
|
||||
});
|
||||
});
|
||||
</script>
|
||||
<?php echo $this->Js->writeBuffer(); // Write cached scripts
|
|
@ -480,9 +480,7 @@ function activateField(type, id, field, event) {
|
|||
if (type == 'denyForm') return;
|
||||
var objectType = 'attributes';
|
||||
var containerName = 'Attribute';
|
||||
if (type == 'ShadowAttribute') {
|
||||
objectType = 'shadow_attributes';
|
||||
} else if (type == 'Object') {
|
||||
if (type == 'Object') {
|
||||
objectType = 'objects';
|
||||
containerName = 'Object';
|
||||
}
|
||||
|
@ -623,9 +621,7 @@ function submitForm(type, id, field, context) {
|
|||
var object_type = 'attributes';
|
||||
var action = "editField";
|
||||
var name = '#' + type + '_' + id + '_' + field;
|
||||
if (type == 'ShadowAttribute') {
|
||||
object_type = 'shadow_attributes';
|
||||
} else if (type == 'Object') {
|
||||
if (type == 'Object') {
|
||||
object_type = 'objects';
|
||||
}
|
||||
$.ajax({
|
||||
|
|
Loading…
Reference in New Issue