mirror of https://github.com/MISP/MISP
fix: [security] Check event ACL before allowing user to send event contact form
parent
d14ce7de70
commit
b0be3b07fe
|
@ -2,6 +2,9 @@
|
||||||
App::uses('AppController', 'Controller');
|
App::uses('AppController', 'Controller');
|
||||||
App::uses('Xml', 'Utility');
|
App::uses('Xml', 'Utility');
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @property Event $Event
|
||||||
|
*/
|
||||||
class EventsController extends AppController
|
class EventsController extends AppController
|
||||||
{
|
{
|
||||||
public $components = array(
|
public $components = array(
|
||||||
|
@ -2792,9 +2795,8 @@ class EventsController extends AppController
|
||||||
// Users with a GnuPG key will get the mail encrypted, other users will get the mail unencrypted
|
// Users with a GnuPG key will get the mail encrypted, other users will get the mail unencrypted
|
||||||
public function contact($id = null)
|
public function contact($id = null)
|
||||||
{
|
{
|
||||||
$id = $this->Toolbox->findIdByUuid($this->Event, $id);
|
$events = $this->Event->fetchEvent($this->Auth->user(), array('eventid' => $id));
|
||||||
$this->Event->id = $id;
|
if (empty($events)) {
|
||||||
if (!$this->Event->exists()) {
|
|
||||||
throw new NotFoundException(__('Invalid event'));
|
throw new NotFoundException(__('Invalid event'));
|
||||||
}
|
}
|
||||||
// User has filled in his contact form, send out the email.
|
// User has filled in his contact form, send out the email.
|
||||||
|
@ -2844,7 +2846,7 @@ class EventsController extends AppController
|
||||||
}
|
}
|
||||||
// User didn't see the contact form yet. Present it to him.
|
// User didn't see the contact form yet. Present it to him.
|
||||||
if (empty($this->data)) {
|
if (empty($this->data)) {
|
||||||
$this->data = $this->Event->read(null, $id);
|
$this->data = $events[0];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue