mirror of https://github.com/MISP/MISP
Fix to a bug allowing regular users of the owner organisation to edit/delete a synced event as discovered by @h122015
- requirements for the actions changed from an org_id match to an orgc_id matchpull/856/head
parent
3b22997240
commit
98c1aadfa4
|
@ -1036,7 +1036,7 @@ class EventsController extends AppController {
|
|||
$this->Event->read(null, $id);
|
||||
// check for if private and user not authorised to edit, go away
|
||||
if (!$this->_isSiteAdmin() && !($this->userRole['perm_sync'] && $this->_isRest())) {
|
||||
if (($this->Event->data['Event']['org_id'] != $this->_checkOrg()) || !($this->userRole['perm_modify'])) {
|
||||
if (($this->Event->data['Event']['orgc_id'] != $this->_checkOrg()) || !($this->userRole['perm_modify'])) {
|
||||
$this->Session->setFlash(__('You are not authorised to do that. Please considering using the propose attribute feature.'));
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'index'));
|
||||
}
|
||||
|
@ -1159,7 +1159,7 @@ class EventsController extends AppController {
|
|||
$this->Event->read();
|
||||
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
if ($this->Event->data['Event']['org_id'] != $this->_checkOrg() || !$this->userRole['perm_modify']) {
|
||||
if ($this->Event->data['Event']['orgc_id'] != $this->_checkOrg() || !$this->userRole['perm_modify']) {
|
||||
throw new MethodNotAllowedException();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -168,11 +168,11 @@
|
|||
</td>
|
||||
<td class="short action-links">
|
||||
<?php
|
||||
if (0 == $event['Event']['published'] && ($isSiteAdmin || ($isAclPublish && $event['Event']['org_id'] == $me['org_id'])))
|
||||
if (0 == $event['Event']['published'] && ($isSiteAdmin || ($isAclPublish && $event['Event']['orgc_id'] == $me['org_id'])))
|
||||
echo $this->Form->postLink('', array('action' => 'alert', $event['Event']['id']), array('class' => 'icon-download-alt', 'title' => 'Publish Event'), 'Are you sure this event is complete and everyone should be informed?');
|
||||
elseif (0 == $event['Event']['published']) echo 'Not published';
|
||||
|
||||
if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['org_id'] == $me['org_id'])) {
|
||||
if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['orgc_id'] == $me['org_id'])) {
|
||||
?>
|
||||
<a href='<?php echo $baseurl."/events/edit/".$event['Event']['id'];?>' class = "icon-edit" title = "Edit"></a>
|
||||
<?php
|
||||
|
|
Loading…
Reference in New Issue