MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Tighter checks so users can't edit events of other orgs

pull/63/head
Andras Iklody 2013-03-05 16:17:34 +01:00
parent 32dc28adb9
commit 64f304da48
4 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
app/Controller/EventsController.php
View File

@ -521,12 +521,13 @@ class EventsController extends AppController {
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
}
//if (!$this->Event->data['Event']['org'] == $this->_checkOrg()){
//throw new MethodNotAllowedException();
//$this->Session->setFlash(__('Invalid event.'));
//$this->redirect(array('controller' => 'users', 'action' => 'terms'));
//}
//}
if (!$this->_isRest()) {
if ($this->Event->data['Event']['org'] != $this->_checkOrg()){
// throw new MethodNotAllowedException();
$this->Session->setFlash(__('Invalid event.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
}
// check if the user is of the creating org, if not, don't let him/her change the distribution.
$canEditDist = false;

6
app/View/Attributes/index.ctp
View File

@ -58,7 +58,11 @@ foreach ($attributes as $attribute): ?>
if ('attachment' == $attribute['Attribute']['type'] || 'malware-sample' == $attribute['Attribute']['type']) {
echo $this->Html->link($sigDisplay, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id']), array('escape' => FALSE));
} elseif ('link' == $attribute['Attribute']['type']) {
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['valueNoScript']), array('escape' => FALSE));
if (isset($attribute['Attribute']['ValueNoScript'])) {
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['valueNoScript']), array('escape' => FALSE));
} else {
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['value']), array('escape' => FALSE));
}
} else {
echo $sigDisplay;
}

2
app/View/Events/index.ctp
View File

@ -102,7 +102,7 @@ foreach ($events as $event):?>
elseif (0 == $event['Event']['published']) echo 'Not published';
?>
<?php
if ($isAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['org'] == $me['org'])) {
if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['org'] == $me['org'])) {
echo $this->Html->link(__('Edit', true), array('action' => 'edit', $event['Event']['id']), null);
echo $this->Form->postLink(__('Delete'), array('action' => 'delete', $event['Event']['id']), null, __('Are you sure you want to delete # %s?', $event['Event']['id']));
}?>

8
app/View/Events/view.ctp
View File

@ -35,7 +35,7 @@ $mayPublish = ($isAclPublish && $event['Event']['org'] == $me['org']);
// only show button if alert has not been sent // LATER show the ALERT button in red-ish
?>
<ul><li><?php
if ($isAdmin || $mayPublish) {
if ($isSiteAdmin || $mayPublish) {
echo $this->Form->postLink('Publish Event', array('action' => 'alert', $event['Event']['id']), null, 'Are you sure this event is complete and everyone should be informed?');
echo $this->Form->postLink('Publish (no email)', array('action' => 'publish', $event['Event']['id']), null, 'Publish but do NOT send alert email? Only for minor changes!');
}
@ -248,7 +248,7 @@ if (!empty($event['Attribute'])):?>
<?php
endif;?>
<?php
if ($isAdmin || $mayModify): ?>
if ($isSiteAdmin || $mayModify): ?>
<td class="actions">
<?php
echo $this->Html->link(__('Edit', true), array('controller' => 'attributes', 'action' => 'edit', $attribute['id']));
@ -266,7 +266,7 @@ if (!empty($event['Attribute'])):?>
<?php
endif; ?>
<?php
if ($isAdmin || $mayModify): ?>
if ($isSiteAdmin || $mayModify): ?>
<div class="actions">
<ul>
<li><?php echo $this->Html->link('Add Attribute', array('controller' => 'attributes', 'action' => 'add', $event['Event']['id']));?> </li>
@ -281,7 +281,7 @@ endif; ?>
<div class="actions">
<ul>
<?php
if ($isAdmin || $mayModify): ?>
if ($isSiteAdmin || $mayModify): ?>
<li><?php echo $this->Html->link(__('Add Attribute', true), array('controller' => 'attributes', 'action' => 'add', $event['Event']['id']));?> </li>
<li><?php echo $this->Html->link(__('Add Attachment', true), array('controller' => 'attributes', 'action' => 'add_attachment', $event['Event']['id']));?> </li>
<li><?php echo $this->Html->link(__('Edit Event', true), array('action' => 'edit', $event['Event']['id'])); ?> </li>