mirror of https://github.com/MISP/MISP
Tighter checks so users can't edit events of other orgs
parent
32dc28adb9
commit
64f304da48
|
@ -521,12 +521,13 @@ class EventsController extends AppController {
|
|||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
}
|
||||
//if (!$this->Event->data['Event']['org'] == $this->_checkOrg()){
|
||||
//throw new MethodNotAllowedException();
|
||||
//$this->Session->setFlash(__('Invalid event.'));
|
||||
//$this->redirect(array('controller' => 'users', 'action' => 'terms'));
|
||||
//}
|
||||
//}
|
||||
if (!$this->_isRest()) {
|
||||
if ($this->Event->data['Event']['org'] != $this->_checkOrg()){
|
||||
// throw new MethodNotAllowedException();
|
||||
$this->Session->setFlash(__('Invalid event.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
}
|
||||
|
||||
// check if the user is of the creating org, if not, don't let him/her change the distribution.
|
||||
$canEditDist = false;
|
||||
|
|
|
@ -58,7 +58,11 @@ foreach ($attributes as $attribute): ?>
|
|||
if ('attachment' == $attribute['Attribute']['type'] || 'malware-sample' == $attribute['Attribute']['type']) {
|
||||
echo $this->Html->link($sigDisplay, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id']), array('escape' => FALSE));
|
||||
} elseif ('link' == $attribute['Attribute']['type']) {
|
||||
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['valueNoScript']), array('escape' => FALSE));
|
||||
if (isset($attribute['Attribute']['ValueNoScript'])) {
|
||||
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['valueNoScript']), array('escape' => FALSE));
|
||||
} else {
|
||||
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['value']), array('escape' => FALSE));
|
||||
}
|
||||
} else {
|
||||
echo $sigDisplay;
|
||||
}
|
||||
|
|
|
@ -102,7 +102,7 @@ foreach ($events as $event):?>
|
|||
elseif (0 == $event['Event']['published']) echo 'Not published';
|
||||
?>
|
||||
<?php
|
||||
if ($isAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['org'] == $me['org'])) {
|
||||
if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['org'] == $me['org'])) {
|
||||
echo $this->Html->link(__('Edit', true), array('action' => 'edit', $event['Event']['id']), null);
|
||||
echo $this->Form->postLink(__('Delete'), array('action' => 'delete', $event['Event']['id']), null, __('Are you sure you want to delete # %s?', $event['Event']['id']));
|
||||
}?>
|
||||
|
|
|
@ -35,7 +35,7 @@ $mayPublish = ($isAclPublish && $event['Event']['org'] == $me['org']);
|
|||
// only show button if alert has not been sent // LATER show the ALERT button in red-ish
|
||||
?>
|
||||
<ul><li><?php
|
||||
if ($isAdmin || $mayPublish) {
|
||||
if ($isSiteAdmin || $mayPublish) {
|
||||
echo $this->Form->postLink('Publish Event', array('action' => 'alert', $event['Event']['id']), null, 'Are you sure this event is complete and everyone should be informed?');
|
||||
echo $this->Form->postLink('Publish (no email)', array('action' => 'publish', $event['Event']['id']), null, 'Publish but do NOT send alert email? Only for minor changes!');
|
||||
}
|
||||
|
@ -248,7 +248,7 @@ if (!empty($event['Attribute'])):?>
|
|||
<?php
|
||||
endif;?>
|
||||
<?php
|
||||
if ($isAdmin || $mayModify): ?>
|
||||
if ($isSiteAdmin || $mayModify): ?>
|
||||
<td class="actions">
|
||||
<?php
|
||||
echo $this->Html->link(__('Edit', true), array('controller' => 'attributes', 'action' => 'edit', $attribute['id']));
|
||||
|
@ -266,7 +266,7 @@ if (!empty($event['Attribute'])):?>
|
|||
<?php
|
||||
endif; ?>
|
||||
<?php
|
||||
if ($isAdmin || $mayModify): ?>
|
||||
if ($isSiteAdmin || $mayModify): ?>
|
||||
<div class="actions">
|
||||
<ul>
|
||||
<li><?php echo $this->Html->link('Add Attribute', array('controller' => 'attributes', 'action' => 'add', $event['Event']['id']));?> </li>
|
||||
|
@ -281,7 +281,7 @@ endif; ?>
|
|||
<div class="actions">
|
||||
<ul>
|
||||
<?php
|
||||
if ($isAdmin || $mayModify): ?>
|
||||
if ($isSiteAdmin || $mayModify): ?>
|
||||
<li><?php echo $this->Html->link(__('Add Attribute', true), array('controller' => 'attributes', 'action' => 'add', $event['Event']['id']));?> </li>
|
||||
<li><?php echo $this->Html->link(__('Add Attachment', true), array('controller' => 'attributes', 'action' => 'add_attachment', $event['Event']['id']));?> </li>
|
||||
<li><?php echo $this->Html->link(__('Edit Event', true), array('action' => 'edit', $event['Event']['id'])); ?> </li>
|
||||
|
|
Loading…
Reference in New Issue