mirror of https://github.com/MISP/MISP
ACL checks changed
- until now checkAction was used to check permissions of a user - but since all of the role permissions are checked beforefilter in appcontroller and saved into a public array, doing a lookup of the array saves an SQL call for each permission check.pull/217/head
parent
3bc787dd3b
commit
8cdf97ff66
|
@ -157,7 +157,7 @@ class AppController extends Controller {
|
|||
*/
|
||||
protected function _isAdmin() {
|
||||
$org = $this->Auth->user('org');
|
||||
if ((isset($org) && $org === 'ADMIN') || $this->checkAction('perm_admin')) {
|
||||
if ((isset($org) && $org === 'ADMIN') || $this->userRole['perm_admin']) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
|
|
@ -465,7 +465,7 @@ class AttributesController extends AppController {
|
|||
}
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
// check for non-private and re-read
|
||||
if (($this->Attribute->data['Event']['org'] != $this->Auth->user('org')) || (($this->Attribute->data['Event']['org'] == $this->Auth->user('org')) && ($this->Attribute->data['Event']['user_id'] != $this->Auth->user('id')) && (!$this->checkAction('prem_modify') || !$this->checkRole()))) {
|
||||
if (($this->Attribute->data['Event']['org'] != $this->Auth->user('org')) || (($this->Attribute->data['Event']['org'] == $this->Auth->user('org')) && ($this->Attribute->data['Event']['user_id'] != $this->Auth->user('id')) && (!$this->this->userRole['perm_modify'] || !$this->userRole['perm_modify_org']))) {
|
||||
$this->Session->setFlash(__('Invalid attribute.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
|
|
|
@ -180,7 +180,7 @@ class EventsController extends AppController {
|
|||
*/
|
||||
public function view($id = null) {
|
||||
// If the length of the id provided is 36 then it is most likely a Uuid - find the id of the event, change $id to it and proceed to read the event as if the ID was entered.
|
||||
$perm_publish = $this->checkAction('perm_publish');
|
||||
$perm_publish = $this->userRole['perm_publish'];
|
||||
if (strlen($id) == 36) {
|
||||
$this->Event->recursive = -1;
|
||||
$temp = $this->Event->findByUuid($id);
|
||||
|
@ -261,7 +261,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
}
|
||||
// Grab the shadow attributes that do not have an old_id - these are not proposals to edit an attribute but instead proposals to add a new one
|
||||
if ($this->Auth->user('org') == $this->Event->data['Event']['orgc'] && $this->checkAction('perm_publish')) {
|
||||
if ($this->Auth->user('org') == $this->Event->data['Event']['orgc'] && $this->userRole['perm_publish']) {
|
||||
$conditions = array('AND' => array('ShadowAttribute.event_id' => $this->Event->data['Event']['id'], 'ShadowAttribute.old_id' => '0'));
|
||||
} else {
|
||||
$conditions = array('AND' => array('ShadowAttribute.event_id' => $this->Event->data['Event']['id'], 'ShadowAttribute.old_id' => '0', 'ShadowAttribute.org' => $this->Auth->user('org')));
|
||||
|
@ -560,8 +560,8 @@ class EventsController extends AppController {
|
|||
}
|
||||
$this->Event->read(null, $id);
|
||||
// check for if private and user not authorised to edit, go away
|
||||
if (!$this->_isSiteAdmin() && !$this->checkAction('perm_sync')) {
|
||||
if (($this->Event->data['Event']['org'] != $this->_checkOrg()) || !($this->checkAction('perm_modify'))) {
|
||||
if (!$this->_isSiteAdmin() && !$this->userRole['perm_sync']) {
|
||||
if (($this->Event->data['Event']['org'] != $this->_checkOrg()) || !($this->userRole['perm_modify'])) {
|
||||
$this->Session->setFlash(__('You are not authorised to do that.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
|
@ -674,7 +674,7 @@ class EventsController extends AppController {
|
|||
$this->Session->setFlash(__('The event could not be saved. Please, try again.'));
|
||||
}
|
||||
} else {
|
||||
if(!$this->checkAction('perm_modify')) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
|
||||
if(!$this->this->userRole['perm_modify']) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
|
||||
$this->request->data = $this->Event->read(null, $id);
|
||||
}
|
||||
|
||||
|
@ -1254,7 +1254,7 @@ class EventsController extends AppController {
|
|||
|
||||
public function automation() {
|
||||
// Simply display a static view
|
||||
if (!$this->checkAction('perm_auth')) {
|
||||
if (!$this->this->userRole['perm_auth']) {
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
// generate the list of Attribute types
|
||||
|
|
|
@ -39,7 +39,7 @@ class LogsController extends AppController {
|
|||
* @return void
|
||||
*/
|
||||
public function admin_index() {
|
||||
if(!$this->checkAction('perm_audit')) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
|
||||
if(!$this->this->userRole['perm_audit']) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
|
||||
$this->set('isSearch', 0);
|
||||
if ($this->Auth->user('org') == 'ADMIN') {
|
||||
$this->AdminCrud->adminIndex();
|
||||
|
@ -80,7 +80,7 @@ class LogsController extends AppController {
|
|||
$mineOrAdmin = true;
|
||||
}
|
||||
$this->set('published', $this->Event->data['Event']['published']);
|
||||
if ($mineOrAdmin && $this->checkAction('perm_modify')) $mayModify = true;
|
||||
if ($mineOrAdmin && $this->this->userRole['perm_modify']) $mayModify = true;
|
||||
// get a list of the attributes that belong to the event
|
||||
$this->loadModel('Attribute');
|
||||
$this->Attribute->recursive = -1;
|
||||
|
@ -115,7 +115,7 @@ class LogsController extends AppController {
|
|||
public $helpers = array('Js' => array('Jquery'), 'Highlight');
|
||||
|
||||
public function admin_search() {
|
||||
if(!$this->checkAction('perm_audit')) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
|
||||
if(!$this->this->userRole['perm_audit']) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
|
||||
$fullAddress = array('/admin/logs/search', '/logs/admin_search'); // FIXME remove this crap check
|
||||
$orgRestriction = null;
|
||||
if ($this->Auth->user('org') == 'ADMIN') {
|
||||
|
|
|
@ -50,7 +50,7 @@ class ServersController extends AppController {
|
|||
'conditions' => array(),
|
||||
);
|
||||
} else {
|
||||
if (!$this->checkAction('perm_sync')) $this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
if (!$this->this->userRole['perm_sync']) $this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
$conditions['Server.org LIKE'] = $this->Auth->user('org');
|
||||
$this->paginate = array(
|
||||
'conditions' => array($conditions),
|
||||
|
@ -65,7 +65,7 @@ class ServersController extends AppController {
|
|||
* @return void
|
||||
*/
|
||||
public function add() {
|
||||
if ((!$this->_IsSiteAdmin()) && !($this->Server->organization == $this->Auth->user('org') && $this->checkAction('perm_sync'))) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if ((!$this->_IsSiteAdmin()) && !($this->Server->organization == $this->Auth->user('org') && $$this->this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if ($this->request->is('post')) {
|
||||
// force check userid and orgname to be from yourself
|
||||
$this->request->data['Server']['org'] = $this->Auth->user('org');
|
||||
|
@ -88,7 +88,7 @@ class ServersController extends AppController {
|
|||
* @throws NotFoundException
|
||||
*/
|
||||
public function edit($id = null) {
|
||||
if (!$this->_IsSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->checkAction('perm_sync'))) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if (!$this->_IsSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
$this->Server->id = $id;
|
||||
if (!$this->Server->exists()) {
|
||||
throw new NotFoundException(__('Invalid server'));
|
||||
|
@ -121,7 +121,7 @@ class ServersController extends AppController {
|
|||
* @throws NotFoundException
|
||||
*/
|
||||
public function delete($id = null) {
|
||||
if(!$this->_IsSiteAdmin() && !($this->Server->id == $this->Auth->user('org') && $this->checkAction('perm_sync'))) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if(!$this->_IsSiteAdmin() && !($this->Server->id == $this->Auth->user('org') && $this->this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if (!$this->request->is('post')) {
|
||||
throw new MethodNotAllowedException();
|
||||
}
|
||||
|
@ -151,7 +151,7 @@ class ServersController extends AppController {
|
|||
*/
|
||||
public function pull($id = null, $technique=false) {
|
||||
// TODO should we de-activate data validation for type and category / and or mapping? Maybe other instances have other configurations that are incompatible.
|
||||
if (!$this->_IsSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->checkAction('perm_sync'))) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if (!$this->_IsSiteAdmin() && !($this->Server->organization == $this->Auth->user('org') && $this->this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
$this->Server->id = $id;
|
||||
if (!$this->Server->exists()) {
|
||||
throw new NotFoundException(__('Invalid server'));
|
||||
|
@ -309,7 +309,7 @@ class ServersController extends AppController {
|
|||
}
|
||||
|
||||
public function push($id = null, $technique=false) {
|
||||
if ($this->Auth->user('org') != 'ADMIN' && !($this->Server->organization == $this->Auth->user('org') && $this->checkAction('perm_sync'))) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if ($this->Auth->user('org') != 'ADMIN' && !($this->Server->organization == $this->Auth->user('org') && $this->this->userRole['perm_sync'])) $this->redirect(array('controller' => 'servers', 'action' => 'index'));
|
||||
if (!$this->request->is('post')) {
|
||||
throw new MethodNotAllowedException();
|
||||
}
|
||||
|
|
|
@ -80,7 +80,7 @@ class ShadowAttributesController extends AppController {
|
|||
|
||||
// Send those away that shouldn't be able to see this
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
if (($activeAttribute['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org']) || (!$this->checkAcl('edit') || !$this->checkAcl('publish'))) {
|
||||
if (($activeAttribute['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org']) || (!$this->userRole['perm_modify'] || !$this->userRole['perm_publish'])) {
|
||||
$this->Session->setFlash(__('Invalid attribute.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
|
@ -168,7 +168,7 @@ class ShadowAttributesController extends AppController {
|
|||
$this->Event->read();
|
||||
// Send those away that shouldn't be able to see this
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
if (($this->Event->data['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org']) && (!$this->checkAction('perm_modify') || !$this->checkAction('perm_publish'))) {
|
||||
if (($this->Event->data['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org']) && (!$this->userRole['perm_modify'] || !$this->userRole['perm_publish'])) {
|
||||
$this->Session->setFlash(__('Invalid attribute.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue