mirror of https://github.com/MISP/MISP
fix: [sharing groups] Allow users to see events they own, even if their organisation is not explicitly mentioned in the SG
- however, show a clear message that this is the case - in-line with the rest of the ACLpull/7125/head
parent
ca13fee271
commit
76a2727583
|
@ -1483,23 +1483,23 @@ class Event extends AppModel
|
|||
if (!$user['Role']['perm_site_admin']) {
|
||||
$sgids = $this->cacheSgids($user, true);
|
||||
$unpublishedPrivate = Configure::read('MISP.unpublishedprivate');
|
||||
$conditions['AND']['OR'] = array(
|
||||
$conditions['AND']['OR'] = [
|
||||
'Event.org_id' => $user['org_id'],
|
||||
array(
|
||||
'AND' => array(
|
||||
[
|
||||
'AND' => [
|
||||
'Event.distribution >' => 0,
|
||||
'Event.distribution <' => 4,
|
||||
$unpublishedPrivate ? array('Event.published' => 1) : array(),
|
||||
),
|
||||
),
|
||||
array(
|
||||
'AND' => array(
|
||||
$unpublishedPrivate ? array('Event.published' => 1) : [],
|
||||
],
|
||||
],
|
||||
[
|
||||
'AND' => [
|
||||
'Event.sharing_group_id' => $sgids,
|
||||
'Event.distribution' => 4,
|
||||
$unpublishedPrivate ? array('Event.published' => 1) : array(),
|
||||
)
|
||||
)
|
||||
);
|
||||
$unpublishedPrivate ? array('Event.published' => 1) : [],
|
||||
]
|
||||
]
|
||||
];
|
||||
}
|
||||
return $conditions;
|
||||
}
|
||||
|
@ -2189,6 +2189,7 @@ class Event extends AppModel
|
|||
}
|
||||
|
||||
foreach ($results as $eventKey => &$event) {
|
||||
/*
|
||||
if ($event['Event']['distribution'] == 4 && !in_array($event['Event']['sharing_group_id'], $sgids)) {
|
||||
$this->Log = ClassRegistry::init('Log');
|
||||
$this->Log->create();
|
||||
|
@ -2205,6 +2206,7 @@ class Event extends AppModel
|
|||
unset($results[$eventKey]); // Current user cannot access sharing_group associated to this event
|
||||
continue;
|
||||
}
|
||||
*/
|
||||
if ($options['includeWarninglistHits'] || $options['enforceWarninglist']) {
|
||||
$eventWarnings = $this->Warninglist->attachWarninglistToAttributes($event['Attribute']);
|
||||
$this->Warninglist->attachWarninglistToAttributes($event['ShadowAttribute']);
|
||||
|
@ -2215,7 +2217,9 @@ class Event extends AppModel
|
|||
$this->__attachGalaxies($event, $user, $options['excludeGalaxy'], $options['fetchFullClusters']);
|
||||
$event = $this->Orgc->attachOrgs($event, $fieldsOrg);
|
||||
if (!$options['sgReferenceOnly'] && $event['Event']['sharing_group_id']) {
|
||||
$event['SharingGroup'] = $sharingGroupData[$event['Event']['sharing_group_id']]['SharingGroup'];
|
||||
if (!empty($sharingGroupData[$event['Event']['sharing_group_id']]['SharingGroup'])) {
|
||||
$event['SharingGroup'] = $sharingGroupData[$event['Event']['sharing_group_id']]['SharingGroup'];
|
||||
}
|
||||
}
|
||||
|
||||
// Include information about event creator user email. This information is included for:
|
||||
|
|
|
@ -124,6 +124,25 @@
|
|||
'value_class' => 'threat-level-' . strtolower($event['ThreatLevel']['name']),
|
||||
);
|
||||
}
|
||||
$sharingGroupHtml = false;
|
||||
$hideDistributionGraph = false;
|
||||
if ($event['Event']['distribution'] == 4) {
|
||||
if (!empty($event['SharingGroup'])) {
|
||||
$sharingGroupHtml = sprintf(
|
||||
'<a href="%s%s">%s</a>',
|
||||
$baseurl . '/sharing_groups/view/',
|
||||
h($event['SharingGroup']['id']),
|
||||
h($event['SharingGroup']['name'])
|
||||
);
|
||||
} else {
|
||||
$sharingGroupHtml = sprintf(
|
||||
'<span class="red bold">%s</span>: %s',
|
||||
__('Undisclosed sharing group'),
|
||||
__('your organisation is the local owner of this event, however it is not explicitly listed in the sharing group.')
|
||||
);
|
||||
$hideDistributionGraph = true;
|
||||
}
|
||||
}
|
||||
$table_data[] = array(
|
||||
'key' => __('Analysis'),
|
||||
'key_title' => $eventDescriptions['analysis']['desc'],
|
||||
|
@ -135,19 +154,19 @@
|
|||
'html' => sprintf(
|
||||
'%s %s %s %s',
|
||||
($event['Event']['distribution'] == 4) ?
|
||||
sprintf('<a href="%s%s">%s</a>', $baseurl . '/sharing_groups/view/', h($event['SharingGroup']['id']), h($event['SharingGroup']['name'])) :
|
||||
$sharingGroupHtml :
|
||||
h($distributionLevels[$event['Event']['distribution']]),
|
||||
sprintf(
|
||||
$hideDistributionGraph ? '' : sprintf(
|
||||
'<span id="distribution_graph_bar" style="margin-left: 5px;" data-object-id="%s" data-object-context="event"></span>',
|
||||
h($event['Event']['id'])
|
||||
),
|
||||
sprintf(
|
||||
$hideDistributionGraph ? '' : sprintf(
|
||||
'<it class="%s" data-object-id="%s" data-object-context="event" data-shown="false"></it><div style="display: none">%s</div>',
|
||||
'useCursorPointer fa fa-info-circle distribution_graph',
|
||||
h($event['Event']['id']),
|
||||
$this->element('view_event_distribution_graph')
|
||||
),
|
||||
sprintf(
|
||||
$hideDistributionGraph ? '' : sprintf(
|
||||
'<it type="button" id="showAdvancedSharingButton" title="%s" class="%s" aria-hidden="true" style="margin-left: 5px;"></it>',
|
||||
__('Toggle advanced sharing network viewer'),
|
||||
'fa fa-share-alt useCursorPointer'
|
||||
|
|
Loading…
Reference in New Issue