mirror of https://github.com/MISP/MISP
Merge pull request #8713 from JakubOnderka/tags-acl
chg: [acl] Move tags ACL check to one placepull/8724/head
commit
beada205ab
|
@ -2641,11 +2641,8 @@ class AttributesController extends AppController
|
|||
$tag_id_list = array($tag_id);
|
||||
}
|
||||
|
||||
$conditions = ['Tag.id' => $tag_id_list];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$conditions['Tag.org_id'] = array(0, $this->Auth->user('org_id'));
|
||||
$conditions['Tag.user_id'] = array(0, $this->Auth->user('id'));
|
||||
}
|
||||
$conditions = $this->Attribute->AttributeTag->Tag->createConditions($this->Auth->user());
|
||||
$conditions['Tag.id'] = $tag_id_list;
|
||||
$tags = $this->Attribute->AttributeTag->Tag->find('list', array(
|
||||
'conditions' => $conditions,
|
||||
'fields' => ['Tag.id', 'Tag.name'],
|
||||
|
|
|
@ -3082,7 +3082,7 @@ class EventsController extends AppController
|
|||
if (empty($event)) {
|
||||
throw new NotFoundException(__('Invalid event.'));
|
||||
}
|
||||
if (!$this->_isSiteAdmin() && $this->Auth->user('org_id') !== $event['Event']['orgc_id']) {
|
||||
if (!$this->__canPublishEvent($event)) {
|
||||
throw new MethodNotAllowedException(__('You do not have the permission to do that.'));
|
||||
}
|
||||
if (!$this->_isRest()) {
|
||||
|
@ -3754,11 +3754,8 @@ class EventsController extends AppController
|
|||
|
||||
$this->loadModel('Taxonomy');
|
||||
foreach ($tag_id_list as $tag_id) {
|
||||
$conditions = ['Tag.id' => $tag_id];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$conditions['Tag.org_id'] = array('0', $this->Auth->user('org_id'));
|
||||
$conditions['Tag.user_id'] = array('0', $this->Auth->user('id'));
|
||||
}
|
||||
$conditions = $this->Event->EventTag->Tag->createConditions($this->Auth->user());
|
||||
$conditions['Tag.id'] = $tag_id;
|
||||
$tag = $this->Event->EventTag->Tag->find('first', array(
|
||||
'conditions' => $conditions,
|
||||
'recursive' => -1,
|
||||
|
@ -5729,10 +5726,10 @@ class EventsController extends AppController
|
|||
$event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => ['Event.id' => $id],
|
||||
'fields' => ['Event.orgc_id', 'Event.timestamp'],
|
||||
'fields' => ['Event.orgc_id', 'Event.timestamp', 'Event.user_id'],
|
||||
));
|
||||
// Return empty response if event not found or user org is not owner
|
||||
if (empty($event) || ($event['Event']['orgc_id'] != $user['org_id'] && !$this->_isSiteAdmin())) {
|
||||
// Return empty response if event not found or user don't have permission to modify it
|
||||
if (empty($event) || !$this->__canModifyEvent($event, $user)) {
|
||||
return new CakeResponse(['status' => 204]);
|
||||
}
|
||||
|
||||
|
@ -5756,10 +5753,10 @@ class EventsController extends AppController
|
|||
$editors = array_unique($editors);
|
||||
|
||||
if ($event['Event']['timestamp'] > $timestamp && empty($editors)) {
|
||||
$message = __('<b>Warning</b>: This event view is outdated. Please reload page to see latest changes.');
|
||||
$message = __('<b>Warning</b>: This event view is outdated. Please reload page to see the latest changes.');
|
||||
$this->set('class', 'alert');
|
||||
} else if ($event['Event']['timestamp'] > $timestamp) {
|
||||
$message = __('<b>Warning</b>: This event view is outdated, because is currently being edited by: %s. Please reload page to see latest changes.', h(implode(', ', $editors)));
|
||||
$message = __('<b>Warning</b>: This event view is outdated, because is currently being edited by: %s. Please reload page to see the latest changes.', h(implode(', ', $editors)));
|
||||
$this->set('class', 'alert');
|
||||
} else if (empty($editors)) {
|
||||
return new CakeResponse(['status' => 204]);
|
||||
|
@ -5776,31 +5773,16 @@ class EventsController extends AppController
|
|||
public function getEditStrategy($id)
|
||||
{
|
||||
// find the id of the event, change $id to it and proceed to read the event as if the ID was entered.
|
||||
if (Validation::uuid($id)) {
|
||||
$this->Event->recursive = -1;
|
||||
$event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('Event.uuid' => $id),
|
||||
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id')
|
||||
));
|
||||
if ($event == null) {
|
||||
throw new NotFoundException(__('Invalid event'));
|
||||
}
|
||||
$id = $event['Event']['id'];
|
||||
} elseif (!is_numeric($id)) {
|
||||
throw new NotFoundException(__('Invalid event'));
|
||||
} else {
|
||||
$event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('Event.id' => $id),
|
||||
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id')
|
||||
));
|
||||
}
|
||||
$event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => Validation::uuid($id) ? ['Event.uuid' => $id] : ['Event.id' => $id],
|
||||
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id', 'Event.user_id')
|
||||
));
|
||||
if (empty($event)) {
|
||||
throw new NotFoundException(__('Invalid event'));
|
||||
}
|
||||
$response = array('extensions' => array());
|
||||
if ($event['Event']['orgc_id'] === $this->Auth->user('org_id')) {
|
||||
if ($this->__canModifyEvent($event)) {
|
||||
$response['strategy'] = 'edit';
|
||||
} else {
|
||||
$response['strategy'] = 'extend';
|
||||
|
|
|
@ -1,10 +1,14 @@
|
|||
<?php
|
||||
App::uses('AppController', 'Controller');
|
||||
|
||||
/**
|
||||
* @property Module $Module
|
||||
*/
|
||||
class ModulesController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'RequestHandler'
|
||||
);
|
||||
'RequestHandler'
|
||||
);
|
||||
|
||||
public function queryEnrichment()
|
||||
{
|
||||
|
@ -18,11 +22,7 @@ class ModulesController extends AppController
|
|||
if (!Configure::read('Plugin.Enrichment_' . $modname . '_enabled')) {
|
||||
throw new MethodNotAllowedException('Module not found or not available.');
|
||||
}
|
||||
if (
|
||||
!$this->_isSiteAdmin &&
|
||||
Configure::read('Plugin.Enrichment_' . $modname . '_restrict') &&
|
||||
Configure::read('Plugin.Enrichment_' . $modname . '_restrict') != $this->Auth->user('org_id')
|
||||
) {
|
||||
if (!$this->Module->canUse($this->Auth->user(), 'Enrichment', $modname)) {
|
||||
throw new MethodNotAllowedException('Module not found or not available.');
|
||||
}
|
||||
$options = array();
|
||||
|
|
|
@ -751,9 +751,7 @@ class ServersController extends AppController
|
|||
throw new NotFoundException(__('Invalid server'));
|
||||
}
|
||||
$error = false;
|
||||
if (!$this->_isSiteAdmin() && !($s['Server']['org_id'] == $this->Auth->user('org_id') && $this->_isAdmin())) {
|
||||
throw new MethodNotAllowedException(__('You are not authorised to do that.'));
|
||||
}
|
||||
|
||||
if (false == $s['Server']['pull'] && ($technique === 'full' || $technique === 'incremental')) {
|
||||
$error = __('Pull setting not enabled for this server.');
|
||||
}
|
||||
|
@ -832,9 +830,7 @@ class ServersController extends AppController
|
|||
throw new NotFoundException(__('Invalid server'));
|
||||
}
|
||||
$s = $this->Server->read(null, $id);
|
||||
if (!$this->_isSiteAdmin() && !($s['Server']['org_id'] == $this->Auth->user('org_id') && $this->_isAdmin())) {
|
||||
throw new MethodNotAllowedException(__('You are not authorised to do that.'));
|
||||
}
|
||||
|
||||
if (!Configure::read('MISP.background_jobs')) {
|
||||
App::uses('SyncTool', 'Tools');
|
||||
$syncTool = new SyncTool();
|
||||
|
|
|
@ -247,11 +247,7 @@ class TagCollectionsController extends AppController
|
|||
}
|
||||
$tag_id = $this->request->data['tag'];
|
||||
}
|
||||
$tagConditions = array();
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$tagConditions['Tag.org_id'] = array('0', $this->Auth->user('org_id'));
|
||||
$tagConditions['Tag.user_id'] = array('0', $this->Auth->user('id'));
|
||||
}
|
||||
$tagConditions = $this->TagCollection->TagCollectionTag->Tag->createConditions($this->Auth->user());
|
||||
if (!is_numeric($tag_id)) {
|
||||
$tag_ids = json_decode($tag_id);
|
||||
$tag_lookups = array();
|
||||
|
@ -306,11 +302,8 @@ class TagCollectionsController extends AppController
|
|||
}
|
||||
|
||||
foreach ($tag_id_list as $tag_id) {
|
||||
$tagConditions = ['Tag.id' => $tag_id];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$tagConditions['Tag.org_id'] = array('0', $this->Auth->user('org_id'));
|
||||
$tagConditions['Tag.user_id'] = array('0', $this->Auth->user('id'));
|
||||
}
|
||||
$tagConditions = $this->TagCollection->TagCollectionTag->Tag->createConditions($this->Auth->user());
|
||||
$tagConditions['Tag.id'] = $tag_id;
|
||||
$tag = $this->TagCollection->TagCollectionTag->Tag->find('first', array(
|
||||
'conditions' => $tagConditions,
|
||||
'recursive' => -1,
|
||||
|
|
|
@ -507,12 +507,9 @@ class TagsController extends AppController
|
|||
$expanded = $tags;
|
||||
} elseif ($taxonomy_id === 'favourites') {
|
||||
$tags = array();
|
||||
$conditions = array(
|
||||
'FavouriteTag.user_id' => $user['id'],
|
||||
'Tag.org_id' => array(0, $user['org_id']),
|
||||
'Tag.user_id' => array(0, $user['id']),
|
||||
'Tag.hide_tag' => 0,
|
||||
);
|
||||
$conditions = $this->Tag->createConditions($user);
|
||||
$conditions['FavouriteTag.user_id'] = $user['id'];
|
||||
$conditions['Tag.hide_tag'] = 0;
|
||||
if (!$local_tag) {
|
||||
$conditions['Tag.local_only'] = 0;
|
||||
}
|
||||
|
@ -527,14 +524,9 @@ class TagsController extends AppController
|
|||
$expanded = $tags;
|
||||
}
|
||||
} elseif ($taxonomy_id === 'all') { // all tags
|
||||
$conditions = [
|
||||
'Tag.is_galaxy' => 0,
|
||||
'Tag.hide_tag' => 0,
|
||||
];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$conditions['Tag.org_id'] = array(0, $user['org_id']);
|
||||
$conditions['Tag.user_id'] = array(0, $user['id']);
|
||||
}
|
||||
$conditions = $this->Tag->createConditions($user);
|
||||
$conditions['Tag.is_galaxy'] = 0;
|
||||
$conditions['Tag.hide_tag'] = 0;
|
||||
if (!$local_tag) {
|
||||
$conditions['Tag.local_only'] = 0;
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@ class Module extends AppModel
|
|||
'Cortex' => array('cortex')
|
||||
);
|
||||
|
||||
private $__typeToFamily = array(
|
||||
const TYPE_TO_FAMILY = array(
|
||||
'Import' => 'Import',
|
||||
'Export' => 'Export',
|
||||
'Action' => 'Action',
|
||||
|
@ -113,11 +113,7 @@ class Module extends AppModel
|
|||
unset($modules[$k]);
|
||||
continue;
|
||||
}
|
||||
if (
|
||||
!$user['Role']['perm_site_admin'] &&
|
||||
Configure::read('Plugin.' . $moduleFamily . '_' . $module['name'] . '_restrict') &&
|
||||
Configure::read('Plugin.' . $moduleFamily . '_' . $module['name'] . '_restrict') != $user['org_id']
|
||||
) {
|
||||
if (!$this->canUse($user, $moduleFamily, $module)) {
|
||||
unset($modules[$k]);
|
||||
}
|
||||
}
|
||||
|
@ -156,10 +152,10 @@ class Module extends AppModel
|
|||
*/
|
||||
public function getEnabledModule($name, $type)
|
||||
{
|
||||
if (!isset($this->__typeToFamily[$type])) {
|
||||
if (!isset(self::TYPE_TO_FAMILY[$type])) {
|
||||
throw new InvalidArgumentException("Invalid type '$type'.");
|
||||
}
|
||||
$moduleFamily = $this->__typeToFamily[$type];
|
||||
$moduleFamily = self::TYPE_TO_FAMILY[$type];
|
||||
$modules = $this->getModules($moduleFamily);
|
||||
if (!Configure::read('Plugin.' . $moduleFamily . '_' . $name . '_enabled')) {
|
||||
return 'The requested module is not enabled.';
|
||||
|
@ -375,14 +371,13 @@ class Module extends AppModel
|
|||
$name = is_string($key) ? $key : $value['name'];
|
||||
$moduleSettings[] = [
|
||||
'name' => $name,
|
||||
'type' => isset($value['type']) ? $value['type'] : 'string',
|
||||
'test' => isset($value['test']) ? $value['test'] : null,
|
||||
'description' => isset($value['description']) ? $value['description'] : null,
|
||||
'null' => isset($value['null']) ? $value['null'] : null,
|
||||
'test' => isset($value['test']) ? $value['test'] : null,
|
||||
'bigField' => isset($value['bigField']) ? $value['bigField'] : false,
|
||||
'cli_only' => isset($value['cli_only']) ? $value['cli_only'] : false,
|
||||
'redacted' => isset($value['redacted']) ? $value['redacted'] : false
|
||||
'type' => $value['type'] ?? 'string',
|
||||
'description' => $value['description'] ?? null,
|
||||
'null' => $value['null'] ?? null,
|
||||
'test' => $value['test'] ?? null,
|
||||
'bigField' => $value['bigField'] ?? false,
|
||||
'cli_only' => $value['cli_only'] ?? false,
|
||||
'redacted' => $value['redacted'] ?? false
|
||||
];
|
||||
} else if (is_string($key)) {
|
||||
$moduleSettings[] = [
|
||||
|
@ -402,4 +397,27 @@ class Module extends AppModel
|
|||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array $user
|
||||
* @param string $moduleFamily
|
||||
* @param array $module
|
||||
* @return bool
|
||||
*/
|
||||
public function canUse(array $user, $moduleFamily, array $module)
|
||||
{
|
||||
if ($user['Role']['perm_site_admin']) {
|
||||
return true;
|
||||
}
|
||||
|
||||
$config = Configure::read('Plugin.' . $moduleFamily . '_' . $module['name'] . '_restrict');
|
||||
if (empty($config)) {
|
||||
return true;
|
||||
}
|
||||
if ($config == $user['org_id']) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -173,11 +173,9 @@ class Tag extends AppModel
|
|||
*/
|
||||
public function lookupTagIdForUser(array $user, $tagName)
|
||||
{
|
||||
$conditions = ['LOWER(Tag.name)' => mb_strtolower($tagName)];
|
||||
if (!$user['Role']['perm_site_admin']) {
|
||||
$conditions['Tag.org_id'] = [0, $user['org_id']];
|
||||
$conditions['Tag.user_id'] = [0, $user['id']];
|
||||
}
|
||||
$conditions = $this->createConditions($user);
|
||||
$conditions['LOWER(Tag.name)'] = mb_strtolower($tagName);
|
||||
|
||||
$tagId = $this->find('first', array(
|
||||
'conditions' => $conditions,
|
||||
'recursive' => -1,
|
||||
|
@ -849,4 +847,18 @@ class Tag extends AppModel
|
|||
|
||||
return $data;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array $user
|
||||
* @return array
|
||||
*/
|
||||
public function createConditions(array $user)
|
||||
{
|
||||
$conditions = [];
|
||||
if (!$user['Role']['perm_site_admin']) {
|
||||
$conditions['Tag.org_id'] = [0, $user['org_id']];
|
||||
$conditions['Tag.user_id'] = [0, $user['id']];
|
||||
}
|
||||
return $conditions;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
App::uses('AppModel', 'Model');
|
||||
|
||||
/**
|
||||
* @property TagCollectionTag $TagCollectionTag
|
||||
*/
|
||||
class TagCollection extends AppModel
|
||||
{
|
||||
public $useTable = 'tag_collections';
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
App::uses('AppModel', 'Model');
|
||||
|
||||
/**
|
||||
* @property Tag $Tag
|
||||
*/
|
||||
class TagCollectionTag extends AppModel
|
||||
{
|
||||
public $useTable = 'tag_collection_tags';
|
||||
|
@ -25,8 +28,4 @@ class TagCollectionTag extends AppModel
|
|||
'className' => 'Tag',
|
||||
)
|
||||
);
|
||||
|
||||
public $validate = array(
|
||||
|
||||
);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue