MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [internal] User should be able to see his org

pull/6732/head
Jakub Onderka 2020-12-10 15:16:32 +01:00
parent 976591972a
commit 9315fa2296
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Controller/OrganisationsController.php
View File

@ -485,6 +485,9 @@ class OrganisationsController extends AppController
*/
private function __canSeeOrg(array $user, $orgId)
{
if ($user['org_id'] == $orgId) {
return true; // User can see his own org.
}
if (!$user['Role']['perm_sharing_group'] && Configure::read('Security.hide_organisation_index_from_users')) {
$this->loadModel('Event');
// Check if there is event from given org that can current user see

15
tests/testlive_security.py
View File

@ -961,6 +961,21 @@ class TestSecurity(unittest.TestCase):
self.admin_misp_connector.delete_organisation(org)
def test_org_hide_org_can_see_his_own(self):
org = self.__create_org()
user = self.__create_user(org.id, ROLE.USER)
with self.__setting("Security.hide_organisation_index_from_users", True):
logged_in = PyMISP(url, user.authkey)
for key in (org.id, org.uuid, org.name):
fetched_org = logged_in.get_organisation(key)
check_response(fetched_org)
self.assertNotIn("created_by", fetched_org["Organisation"])
self.assertNotIn("created_by_email", fetched_org["Organisation"])
self.admin_misp_connector.delete_user(user)
self.admin_misp_connector.delete_organisation(org)
def test_org_hide_org_cannot_see_event_after_contribution(self):
org = self.__create_org()
user = self.__create_user(org.id, ROLE.USER)