diff --git a/app/Controller/AuthKeysController.php b/app/Controller/AuthKeysController.php index b0b62990b..492a50725 100644 --- a/app/Controller/AuthKeysController.php +++ b/app/Controller/AuthKeysController.php @@ -21,10 +21,40 @@ class AuthKeysController extends AppController public function index($id = false) { $conditions = $this->__prepareConditions(); - if ($id !== false) { + $canCreateAuthkey = true; + if ($id) { $this->set('user_id', $id); + if ($this->_isAdmin()) { + if ($this->_isSiteAdmin()) { + $canCreateAuthkey = true; + } else { + $user = $this->AuthKey->User->find('first', [ + 'recursive' => -1, + 'conditions' => [ + 'User.id' => $id, + 'User.disabled' => false + ], + 'fields' => ['User.id', 'User.org_id', 'User.disabled'], + 'contain' => [ + 'Role' => [ + 'fields' => [ + 'Role.perm_site_admin', 'Role.perm_admin' + ] + ] + ] + ]); + if ($user['Role']['perm_site_admin'] || ($user['Role']['perm_admin'] && $user['User']['id'] !== $this->Auth->user('id'))) { + $canCreateAuthkey = false; + } else { + $canCreateAuthkey = true; + } + } + } else { + $canCreateAuthkey = (int)$id === (int)$this->Auth->user('id'); + } $conditions['AND'][] = ['AuthKey.user_id' => $id]; } + $this->set('canCreateAuthkey', $canCreateAuthkey); $keyUsageEnabled = Configure::read('MISP.log_user_ips') && Configure::read('MISP.log_user_ips_authkeys'); $this->CRUD->index([ 'filters' => ['User.email', 'authkey_start', 'authkey_end', 'comment', 'User.id'], @@ -123,8 +153,40 @@ class AuthKeysController extends AppController } $selectConditions = []; if (!$this->_isSiteAdmin()) { - $selectConditions['AND'][] = ['User.id' => $this->Auth->user('id')]; - $params['override']['user_id'] = $this->Auth->user('id'); + if ($this->_isAdmin()) { + $role_ids = $this->AuthKey->User->Role->find('column', [ + 'fields' => ['Role.id'], + 'conditions' => [ + 'AND' => [ + 'Role.perm_site_admin' => false, + 'Role.perm_auth' => true, + 'Role.perm_admin' => false + ] + ] + ]); + $user_ids = $this->AuthKey->User->find('column', [ + 'fields' => ['User.id'], + 'conditions' => [ + 'User.org_id' => $this->Auth->user('org_id'), + 'OR' => [ + 'User.role_id' => $role_ids, + 'User.id' => $this->Auth->user('id') + ] + ] + ]); + if (!empty($user_id)) { + if (in_array($user_id, $user_ids)) { + $user_ids = [$user_id]; + } else { + throw new MethodNotAllowedException(__('Invalid user or insufficient privileges to create an authkey for the given user.')); + } + } + $selectConditions['AND'][] = ['User.id' => $user_ids]; + $params['override']['user_id'] = $user_ids; + } else { + $selectConditions['AND'][] = ['User.id' => $this->Auth->user('id')]; + $params['override']['user_id'] = $this->Auth->user('id'); + } } else if ($user_id) { $selectConditions['AND'][] = ['User.id' => $user_id]; $params['override']['user_id'] = $user_id; diff --git a/app/View/AuthKeys/index.ctp b/app/View/AuthKeys/index.ctp index 2a3762fed..bc61d58fa 100644 --- a/app/View/AuthKeys/index.ctp +++ b/app/View/AuthKeys/index.ctp @@ -18,6 +18,7 @@ 'text' => __('Add authentication key'), 'class' => 'btn-primary modal-open', 'url' => "$baseurl/auth_keys/add" . (empty($user_id) ? '' : ('/' . $user_id)), + 'requirement' => $canCreateAuthkey ] ] ],