mirror of https://github.com/MISP/MISP
Merge branch 'feature/publication-blocking-same-user' into develop
commit
71e78e6eb3
|
@ -3203,7 +3203,7 @@ class EventsController extends AppController
|
|||
$event = $this->Event->find('first', [
|
||||
'conditions' => Validation::uuid($id) ? ['Event.uuid' => $id] : ['Event.id' => $id],
|
||||
'recursive' => -1,
|
||||
'fields' => ['id', 'info', 'publish_timestamp', 'orgc_id'],
|
||||
'fields' => ['id', 'info', 'publish_timestamp', 'orgc_id', 'user_id'],
|
||||
]);
|
||||
if (empty($event)) {
|
||||
throw new NotFoundException(__('Invalid event.'));
|
||||
|
@ -3222,6 +3222,16 @@ class EventsController extends AppController
|
|||
}
|
||||
}
|
||||
}
|
||||
if (
|
||||
Configure::read('MISP.block_publishing_for_same_creator', false) &&
|
||||
$this->Auth->user()['id'] == $event['Event']['user_id']
|
||||
) {
|
||||
$message = __('Could not publish the event, the publishing user cannot be the same as the event creator as per this instance\'s configuration.');
|
||||
if (!$this->_isRest()) {
|
||||
$this->Flash->error($message);
|
||||
}
|
||||
throw new MethodNotAllowedException($message);
|
||||
}
|
||||
|
||||
return $event;
|
||||
}
|
||||
|
|
|
@ -3743,7 +3743,10 @@ class Event extends AppModel
|
|||
unset($this->Attribute->validate['value']['uniqueValue']); // unset this - we are saving a new event, there are no values to compare against and event_id is not set in the attributes
|
||||
}
|
||||
unset($data['Event']['id']);
|
||||
if (isset($data['Event']['published']) && $data['Event']['published'] && $user['Role']['perm_publish'] == 0) {
|
||||
if (
|
||||
(Configure::read('MISP.block_publishing_for_same_creator', false) && !$user['Role']['perm_sync']) ||
|
||||
(isset($data['Event']['published']) && $data['Event']['published'] && $user['Role']['perm_publish'] == 0)
|
||||
) {
|
||||
$data['Event']['published'] = 0;
|
||||
}
|
||||
if (isset($data['Event']['uuid'])) {
|
||||
|
@ -4059,7 +4062,10 @@ class Event extends AppModel
|
|||
} else {
|
||||
return array('error' => 'Event could not be saved: Could not find the local event.');
|
||||
}
|
||||
if (!empty($data['Event']['published']) && !$user['Role']['perm_publish']) {
|
||||
if (
|
||||
(Configure::read('MISP.block_publishing_for_same_creator', false) && !$user['Role']['perm_sync'] && $user['id'] == $existingEvent['Event']['user_id']) ||
|
||||
(!empty($data['Event']['published']) && !$user['Role']['perm_publish'])
|
||||
) {
|
||||
$data['Event']['published'] = 0;
|
||||
}
|
||||
if (!isset($data['Event']['published'])) {
|
||||
|
@ -4190,7 +4196,7 @@ class Event extends AppModel
|
|||
if ((true != Configure::read('MISP.disablerestalert')) && (empty($server) || empty($server['Server']['publish_without_email']))) {
|
||||
$this->sendAlertEmailRouter($id, $user, $existingEvent['Event']['publish_timestamp']);
|
||||
}
|
||||
$this->publish($existingEvent['Event']['id']);
|
||||
$this->publish($existingEvent['Event']['id'], $passAlong);
|
||||
}
|
||||
if ($jobId) {
|
||||
$eventLock->deleteBackgroundJobLock($data['Event']['id'], $jobId);
|
||||
|
@ -5952,7 +5958,9 @@ class Event extends AppModel
|
|||
$this->add_original_file($decoded['original'], $originalFile, $created_id, $stixVersion);
|
||||
}
|
||||
if ($publish && $user['Role']['perm_publish']) {
|
||||
$this->publish($created_id);
|
||||
if (!Configure::read('MISP.block_publishing_for_same_creator', false) || $user['Role']['perm_sync']) {
|
||||
$this->publish($created_id);
|
||||
}
|
||||
}
|
||||
return $created_id;
|
||||
} else if (is_numeric($result)) {
|
||||
|
|
|
@ -6143,6 +6143,14 @@ class Server extends AppModel
|
|||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
],
|
||||
'block_publishing_for_same_creator' => [
|
||||
'level' => self::SETTING_OPTIONAL,
|
||||
'description' => __('Enabling this setting will make MISP block event publishing in the case of the publisher being the same user as the event creator.'),
|
||||
'value' => false,
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
],
|
||||
'self_update' => [
|
||||
'level' => self::SETTING_CRITICAL,
|
||||
'description' => __('Enable the GUI button for MISP self-update on the Diagnostics page.'),
|
||||
|
|
Loading…
Reference in New Issue