mirror of https://github.com/MISP/MISP
Proposal changes
- anyone can see proposals that can see an event - fixed a vulnerability where a user could add a proposal to an event blindly that he couldn't seepull/217/head
parent
89c80a8b7c
commit
772f60ff40
|
@ -199,7 +199,17 @@ class ShadowAttributesController extends AppController {
|
|||
* @throws NotFoundException // TODO Exception
|
||||
*/
|
||||
public function add($eventId = null) {
|
||||
$event = $this->ShadowAttribute->Event->find('first', array(
|
||||
'conditions' => array('Event.id' => $eventId),
|
||||
'recursive' => -1,
|
||||
'fields' => array('id', 'orgc', 'distribution', 'org'),
|
||||
));
|
||||
if ((($event['Event']['distribution'] == 0 && !$event['Event']['org'] != $this->Auth->user('org'))) || ($event['Event']['orgc'] == $this->Auth->user('org'))) {
|
||||
$this->Session->setFlash(__('Invalid Event.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
if ($this->request->is('post')) {
|
||||
|
||||
// Give error if someone tried to submit a attribute with attachment or malware-sample type.
|
||||
// TODO change behavior attachment options - this is bad ... it should rather by a messagebox or should be filtered out on the view level
|
||||
if (isset($this->request->data['ShadowAttribute']['type']) && $this->ShadowAttribute->typeIsAttachment($this->request->data['ShadowAttribute']['type'])) {
|
||||
|
@ -340,6 +350,15 @@ class ShadowAttributesController extends AppController {
|
|||
* @throws InternalErrorException
|
||||
*/
|
||||
public function add_attachment($eventId = null) {
|
||||
$event = $this->ShadowAttribute->Event->find('first', array(
|
||||
'conditions' => array('Event.id' => $eventId),
|
||||
'recursive' => -1,
|
||||
'fields' => array('id', 'orgc', 'distribution', 'org'),
|
||||
));
|
||||
if ((($event['Event']['distribution'] == 0 && !$event['Event']['org'] != $this->Auth->user('org'))) || ($event['Event']['orgc'] == $this->Auth->user('org'))) {
|
||||
$this->Session->setFlash(__('Invalid Event.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
if ($this->request->is('post')) {
|
||||
// Check if there were problems with the file upload
|
||||
// only keep the last part of the filename, this should prevent directory attacks
|
||||
|
@ -496,7 +515,10 @@ class ShadowAttributesController extends AppController {
|
|||
}
|
||||
$uuid = $this->Attribute->data['Attribute']['uuid'];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
if (($this->Attribute->data['Attribute']['distribution'] == 0) || ($this->Attribute->data['Event']['orgc'] == $this->Auth->user('org'))) {
|
||||
// If the attribute's distribution is private and the user is not the owner of the event or if the user is of the original creator org -> exception
|
||||
// The owner should be able to create a shadow attribute, since a pushed community event would be private and tied to a single organisation on a synced instance
|
||||
// The users of that organisation can only view but not edit the event, but they should be able to propose a change
|
||||
if ((($this->Attribute->data['Attribute']['distribution'] == 0 && !$this->Attribute->data['Event']['org'] != $this->Auth->user('org'))) || ($this->Attribute->data['Event']['orgc'] == $this->Auth->user('org'))) {
|
||||
$this->Session->setFlash(__('Invalid Attribute.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
|
|
|
@ -839,7 +839,6 @@ class Event extends AppModel {
|
|||
// if we come from automation, we may not be logged in - instead we used an auth key in the URL.
|
||||
|
||||
$conditionsAttributes = array();
|
||||
$conditionsShadowAttributes = array();
|
||||
//restricting to non-private or same org if the user is not a site-admin.
|
||||
if (!$isSiteAdmin) {
|
||||
$conditions['AND']['OR'] = array(
|
||||
|
@ -850,13 +849,6 @@ class Event extends AppModel {
|
|||
'Attribute.distribution >' => 0,
|
||||
'(SELECT events.org FROM events WHERE events.id = Attribute.event_id) LIKE' => $org
|
||||
);
|
||||
$conditionsShadowAttributes['OR'] = array(
|
||||
// We are currently looking at events.org matching the user's org, but later on, once we start syncing shadow attributes, we may want to change this to orgc
|
||||
// Right now the org that currently owns the event on an instance can see, accept and decline these requests, but in the long run once we can distribute
|
||||
// the requests back to the creator, we may want to leave these decisions up to them.
|
||||
array('(SELECT events.org FROM events WHERE events.id = ShadowAttribute.event_id) LIKE' => $org),
|
||||
array('ShadowAttribute.org LIKE' => $org),
|
||||
);
|
||||
}
|
||||
|
||||
if ($idList) {
|
||||
|
@ -871,7 +863,7 @@ class Event extends AppModel {
|
|||
// do not expose all the data ...
|
||||
$fields = array('Event.id', 'Event.org', 'Event.date', 'Event.threat_level_id', 'Event.info', 'Event.published', 'Event.uuid', 'Event.attribute_count', 'Event.analysis', 'Event.timestamp', 'Event.distribution', 'Event.proposal_email_lock', 'Event.orgc', 'Event.user_id', 'Event.locked');
|
||||
$fieldsAtt = array('Attribute.id', 'Attribute.type', 'Attribute.category', 'Attribute.value', 'Attribute.to_ids', 'Attribute.uuid', 'Attribute.event_id', 'Attribute.distribution', 'Attribute.timestamp', 'Attribute.comment');
|
||||
$fieldsShadowAtt = array('ShadowAttribute.id', 'ShadowAttribute.type', 'ShadowAttribute.category', 'ShadowAttribute.value', 'ShadowAttribute.to_ids', 'ShadowAttribute.uuid', 'ShadowAttribute.event_id', 'ShadowAttribute.old_id', 'ShadowAttribute.comment');
|
||||
$fieldsShadowAtt = array('ShadowAttribute.id', 'ShadowAttribute.type', 'ShadowAttribute.category', 'ShadowAttribute.value', 'ShadowAttribute.to_ids', 'ShadowAttribute.uuid', 'ShadowAttribute.event_id', 'ShadowAttribute.old_id', 'ShadowAttribute.comment', 'ShadowAttribute.org');
|
||||
|
||||
$params = array('conditions' => $conditions,
|
||||
'recursive' => 0,
|
||||
|
@ -886,7 +878,6 @@ class Event extends AppModel {
|
|||
),
|
||||
'ShadowAttribute' => array(
|
||||
'fields' => $fieldsShadowAtt,
|
||||
'conditions' => $conditionsShadowAttributes,
|
||||
),
|
||||
)
|
||||
);
|
||||
|
|
Loading…
Reference in New Issue