Merge branch 'develop' of github.com:MISP/MISP into develop

feature/event-view-collapsible-objects
Sami Mokaddem 2024-05-03 15:28:08 +02:00
commit ba9f9f4781
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
6 changed files with 17 additions and 19 deletions

View File

@ -649,21 +649,21 @@ class AppController extends Controller
} }
// Check if user accepted terms and conditions // Check if user accepted terms and conditions
if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms']])) { if (!$user['termsaccepted'] && !empty(Configure::read('MISP.terms_file')) && !$this->_isControllerAction(['users' => ['terms', 'logout', 'login', 'downloadTerms', 'totp_new', 'email_otp']])) {
//if ($this->_isRest()) throw new MethodNotAllowedException('You have not accepted the terms of use yet, please log in via the web interface and accept them.'); //if ($this->_isRest()) throw new MethodNotAllowedException('You have not accepted the terms of use yet, please log in via the web interface and accept them.');
$this->redirect(array('controller' => 'users', 'action' => 'terms', 'admin' => false)); $this->redirect(array('controller' => 'users', 'action' => 'terms', 'admin' => false));
return false; return false;
} }
// Check if user must change password // Check if user must change password
if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login']])) { if ($user['change_pw'] && !$this->_isControllerAction(['users' => ['terms', 'change_pw', 'logout', 'login', 'totp_new', 'email_otp']])) {
//if ($this->_isRest()) throw new MethodNotAllowedException('Your user account is expecting a password change, please log in via the web interface and change it before proceeding.'); //if ($this->_isRest()) throw new MethodNotAllowedException('Your user account is expecting a password change, please log in via the web interface and change it before proceeding.');
$this->redirect(array('controller' => 'users', 'action' => 'change_pw', 'admin' => false)); $this->redirect(array('controller' => 'users', 'action' => 'change_pw', 'admin' => false));
return false; return false;
} }
// Check if user must read news // Check if user must read news
if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout']])) { if (!$this->_isControllerAction(['news' => ['index'], 'users' => ['terms', 'change_pw', 'login', 'logout', 'totp_new', 'email_otp']])) {
$this->loadModel('News'); $this->loadModel('News');
$latestNewsCreated = $this->News->latestNewsTimestamp(); $latestNewsCreated = $this->News->latestNewsTimestamp();
if ($latestNewsCreated && $user['newsread'] < $latestNewsCreated) { if ($latestNewsCreated && $user['newsread'] < $latestNewsCreated) {

View File

@ -925,7 +925,7 @@ class ACLComponent extends Component
} }
return true; return true;
}; };
$this->dynamicChecks['otp_enabled'] = function (array $user) { $this->dynamicChecks['otp_enabled'] = function ($user) {
if (Configure::read('Security.otp_disabled')) { if (Configure::read('Security.otp_disabled')) {
throw new ForbiddenException('OTP has been disabled on this instance.'); throw new ForbiddenException('OTP has been disabled on this instance.');
} }

View File

@ -1214,11 +1214,13 @@ class UsersController extends AppController
$this->Auth->constructAuthenticate(); $this->Auth->constructAuthenticate();
} }
// user has TOTP token, check creds and redirect to TOTP validation // user has TOTP token, check creds and redirect to TOTP validation
if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) { if (!Configure::read('Security.otp_disabled')) {
$user = $this->Auth->identify($this->request, $this->response); if (!empty($unauth_user['User']['totp']) && !$unauth_user['User']['disabled'] && class_exists('\OTPHP\TOTP')) {
if ($user && !$user['disabled']) { $user = $this->Auth->identify($this->request, $this->response);
$this->Session->write('otp_user', $user); if ($user && !$user['disabled']) {
return $this->redirect('otp'); $this->Session->write('otp_user', $user);
return $this->redirect('otp');
}
} }
} }
} }

View File

@ -1,10 +1,9 @@
<div class="index"> <div class="index">
<h2><?= __("Latest news") ?></h2> <h2><?= __("Latest news") ?></h2>
<?php if ($hasUnreadNews): ?> <?php if ($hasUnreadNews): ?>
<div class="alert alert-success"> <div class="alert alert-success">
<p><?= __('You have unread news.') ?></p> <p><?= __('You have unread news.') ?></p>
<a class="btn btn-success" href="<?= $homepage ?>"><?= __('Continue to homepage') ?></a> <a class="btn btn-success" href="<?= isset($homepage['path']) ? $homepage['path'] : $homepage ?>"><?= __('Continue to homepage') ?></a>
</div> </div>
<?php endif; ?> <?php endif; ?>

View File

@ -1237,25 +1237,25 @@
}, },
{ {
"column_name": "created", "column_name": "created",
"is_nullable": "YES", "is_nullable": "NO",
"data_type": "datetime", "data_type": "datetime",
"character_maximum_length": null, "character_maximum_length": null,
"numeric_precision": null, "numeric_precision": null,
"collation_name": null, "collation_name": null,
"column_type": "datetime", "column_type": "datetime",
"column_default": "current_timestamp()", "column_default": null,
"extra": "" "extra": ""
}, },
{ {
"column_name": "modified", "column_name": "modified",
"is_nullable": "YES", "is_nullable": "NO",
"data_type": "datetime", "data_type": "datetime",
"character_maximum_length": null, "character_maximum_length": null,
"numeric_precision": null, "numeric_precision": null,
"collation_name": null, "collation_name": null,
"column_type": "datetime", "column_type": "datetime",
"column_default": "NULL", "column_default": null,
"extra": "on update current_timestamp()" "extra": ""
}, },
{ {
"column_name": "distribution", "column_name": "distribution",

View File

@ -804,9 +804,6 @@ class TestSecurity(unittest.TestCase):
logged_in = PyMISP(url, self.test_usr.authkey) logged_in = PyMISP(url, self.test_usr.authkey)
logged_in.global_pythonify = True logged_in.global_pythonify = True
with self.assertRaises(Exception):
send(logged_in, "GET", f"/users/email_otp")
with self.assertRaises(Exception): with self.assertRaises(Exception):
send(logged_in, "GET", f"/users/totp_new") send(logged_in, "GET", f"/users/totp_new")