diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 573ae6612..9b428ee1e 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -3203,7 +3203,7 @@ class EventsController extends AppController $event = $this->Event->find('first', [ 'conditions' => Validation::uuid($id) ? ['Event.uuid' => $id] : ['Event.id' => $id], 'recursive' => -1, - 'fields' => ['id', 'info', 'publish_timestamp', 'orgc_id'], + 'fields' => ['id', 'info', 'publish_timestamp', 'orgc_id', 'user_id'], ]); if (empty($event)) { throw new NotFoundException(__('Invalid event.')); @@ -3222,6 +3222,16 @@ class EventsController extends AppController } } } + if ( + Configure::read('MISP.block_publishing_for_same_creator', false) && + $this->Auth->user()['id'] == $event['Event']['user_id'] + ) { + $message = __('Could not publish the event, the publishing user cannot be the same as the event creator as per this instance\'s configuration.'); + if (!$this->_isRest()) { + $this->Flash->error($message); + } + throw new MethodNotAllowedException($message); + } return $event; } diff --git a/app/Model/Event.php b/app/Model/Event.php index d6b9ba4c7..75c52b4fc 100755 --- a/app/Model/Event.php +++ b/app/Model/Event.php @@ -3743,7 +3743,10 @@ class Event extends AppModel unset($this->Attribute->validate['value']['uniqueValue']); // unset this - we are saving a new event, there are no values to compare against and event_id is not set in the attributes } unset($data['Event']['id']); - if (isset($data['Event']['published']) && $data['Event']['published'] && $user['Role']['perm_publish'] == 0) { + if ( + (Configure::read('MISP.block_publishing_for_same_creator', false) && !$user['Role']['perm_sync']) || + (isset($data['Event']['published']) && $data['Event']['published'] && $user['Role']['perm_publish'] == 0) + ) { $data['Event']['published'] = 0; } if (isset($data['Event']['uuid'])) { @@ -4059,7 +4062,10 @@ class Event extends AppModel } else { return array('error' => 'Event could not be saved: Could not find the local event.'); } - if (!empty($data['Event']['published']) && !$user['Role']['perm_publish']) { + if ( + (Configure::read('MISP.block_publishing_for_same_creator', false) && !$user['Role']['perm_sync'] && $user['id'] == $existingEvent['Event']['user_id']) || + (!empty($data['Event']['published']) && !$user['Role']['perm_publish']) + ) { $data['Event']['published'] = 0; } if (!isset($data['Event']['published'])) { @@ -4190,7 +4196,7 @@ class Event extends AppModel if ((true != Configure::read('MISP.disablerestalert')) && (empty($server) || empty($server['Server']['publish_without_email']))) { $this->sendAlertEmailRouter($id, $user, $existingEvent['Event']['publish_timestamp']); } - $this->publish($existingEvent['Event']['id']); + $this->publish($existingEvent['Event']['id'], $passAlong); } if ($jobId) { $eventLock->deleteBackgroundJobLock($data['Event']['id'], $jobId); @@ -5952,7 +5958,9 @@ class Event extends AppModel $this->add_original_file($decoded['original'], $originalFile, $created_id, $stixVersion); } if ($publish && $user['Role']['perm_publish']) { - $this->publish($created_id); + if (!Configure::read('MISP.block_publishing_for_same_creator', false) || $user['Role']['perm_sync']) { + $this->publish($created_id); + } } return $created_id; } else if (is_numeric($result)) { diff --git a/app/Model/Server.php b/app/Model/Server.php index 0ead31d16..ed8576df4 100644 --- a/app/Model/Server.php +++ b/app/Model/Server.php @@ -6143,6 +6143,14 @@ class Server extends AppModel 'type' => 'boolean', 'null' => true, ], + 'block_publishing_for_same_creator' => [ + 'level' => self::SETTING_OPTIONAL, + 'description' => __('Enabling this setting will make MISP block event publishing in the case of the publisher being the same user as the event creator.'), + 'value' => false, + 'test' => 'testBool', + 'type' => 'boolean', + 'null' => true, + ], 'self_update' => [ 'level' => self::SETTING_CRITICAL, 'description' => __('Enable the GUI button for MISP self-update on the Diagnostics page.'),