Merge pull request #8713 from JakubOnderka/tags-acl

chg: [acl] Move tags ACL check to one place
pull/8724/head
Jakub Onderka 2022-10-28 09:08:39 +02:00 committed by GitHub
commit beada205ab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 91 additions and 99 deletions

View File

@ -2641,11 +2641,8 @@ class AttributesController extends AppController
$tag_id_list = array($tag_id);
}
$conditions = ['Tag.id' => $tag_id_list];
if (!$this->_isSiteAdmin()) {
$conditions['Tag.org_id'] = array(0, $this->Auth->user('org_id'));
$conditions['Tag.user_id'] = array(0, $this->Auth->user('id'));
}
$conditions = $this->Attribute->AttributeTag->Tag->createConditions($this->Auth->user());
$conditions['Tag.id'] = $tag_id_list;
$tags = $this->Attribute->AttributeTag->Tag->find('list', array(
'conditions' => $conditions,
'fields' => ['Tag.id', 'Tag.name'],

View File

@ -3082,7 +3082,7 @@ class EventsController extends AppController
if (empty($event)) {
throw new NotFoundException(__('Invalid event.'));
}
if (!$this->_isSiteAdmin() && $this->Auth->user('org_id') !== $event['Event']['orgc_id']) {
if (!$this->__canPublishEvent($event)) {
throw new MethodNotAllowedException(__('You do not have the permission to do that.'));
}
if (!$this->_isRest()) {
@ -3754,11 +3754,8 @@ class EventsController extends AppController
$this->loadModel('Taxonomy');
foreach ($tag_id_list as $tag_id) {
$conditions = ['Tag.id' => $tag_id];
if (!$this->_isSiteAdmin()) {
$conditions['Tag.org_id'] = array('0', $this->Auth->user('org_id'));
$conditions['Tag.user_id'] = array('0', $this->Auth->user('id'));
}
$conditions = $this->Event->EventTag->Tag->createConditions($this->Auth->user());
$conditions['Tag.id'] = $tag_id;
$tag = $this->Event->EventTag->Tag->find('first', array(
'conditions' => $conditions,
'recursive' => -1,
@ -5729,10 +5726,10 @@ class EventsController extends AppController
$event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => ['Event.id' => $id],
'fields' => ['Event.orgc_id', 'Event.timestamp'],
'fields' => ['Event.orgc_id', 'Event.timestamp', 'Event.user_id'],
));
// Return empty response if event not found or user org is not owner
if (empty($event) || ($event['Event']['orgc_id'] != $user['org_id'] && !$this->_isSiteAdmin())) {
// Return empty response if event not found or user don't have permission to modify it
if (empty($event) || !$this->__canModifyEvent($event, $user)) {
return new CakeResponse(['status' => 204]);
}
@ -5756,10 +5753,10 @@ class EventsController extends AppController
$editors = array_unique($editors);
if ($event['Event']['timestamp'] > $timestamp && empty($editors)) {
$message = __('<b>Warning</b>: This event view is outdated. Please reload page to see latest changes.');
$message = __('<b>Warning</b>: This event view is outdated. Please reload page to see the latest changes.');
$this->set('class', 'alert');
} else if ($event['Event']['timestamp'] > $timestamp) {
$message = __('<b>Warning</b>: This event view is outdated, because is currently being edited by: %s. Please reload page to see latest changes.', h(implode(', ', $editors)));
$message = __('<b>Warning</b>: This event view is outdated, because is currently being edited by: %s. Please reload page to see the latest changes.', h(implode(', ', $editors)));
$this->set('class', 'alert');
} else if (empty($editors)) {
return new CakeResponse(['status' => 204]);
@ -5776,31 +5773,16 @@ class EventsController extends AppController
public function getEditStrategy($id)
{
// find the id of the event, change $id to it and proceed to read the event as if the ID was entered.
if (Validation::uuid($id)) {
$this->Event->recursive = -1;
$event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => array('Event.uuid' => $id),
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id')
));
if ($event == null) {
throw new NotFoundException(__('Invalid event'));
}
$id = $event['Event']['id'];
} elseif (!is_numeric($id)) {
throw new NotFoundException(__('Invalid event'));
} else {
$event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => array('Event.id' => $id),
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id')
));
}
$event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => Validation::uuid($id) ? ['Event.uuid' => $id] : ['Event.id' => $id],
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id', 'Event.user_id')
));
if (empty($event)) {
throw new NotFoundException(__('Invalid event'));
}
$response = array('extensions' => array());
if ($event['Event']['orgc_id'] === $this->Auth->user('org_id')) {
if ($this->__canModifyEvent($event)) {
$response['strategy'] = 'edit';
} else {
$response['strategy'] = 'extend';

View File

@ -1,10 +1,14 @@
<?php
App::uses('AppController', 'Controller');
/**
* @property Module $Module
*/
class ModulesController extends AppController
{
public $components = array(
'RequestHandler'
);
'RequestHandler'
);
public function queryEnrichment()
{
@ -18,11 +22,7 @@ class ModulesController extends AppController
if (!Configure::read('Plugin.Enrichment_' . $modname . '_enabled')) {
throw new MethodNotAllowedException('Module not found or not available.');
}
if (
!$this->_isSiteAdmin &&
Configure::read('Plugin.Enrichment_' . $modname . '_restrict') &&
Configure::read('Plugin.Enrichment_' . $modname . '_restrict') != $this->Auth->user('org_id')
) {
if (!$this->Module->canUse($this->Auth->user(), 'Enrichment', $modname)) {
throw new MethodNotAllowedException('Module not found or not available.');
}
$options = array();

View File

@ -751,9 +751,7 @@ class ServersController extends AppController
throw new NotFoundException(__('Invalid server'));
}
$error = false;
if (!$this->_isSiteAdmin() && !($s['Server']['org_id'] == $this->Auth->user('org_id') && $this->_isAdmin())) {
throw new MethodNotAllowedException(__('You are not authorised to do that.'));
}
if (false == $s['Server']['pull'] && ($technique === 'full' || $technique === 'incremental')) {
$error = __('Pull setting not enabled for this server.');
}
@ -832,9 +830,7 @@ class ServersController extends AppController
throw new NotFoundException(__('Invalid server'));
}
$s = $this->Server->read(null, $id);
if (!$this->_isSiteAdmin() && !($s['Server']['org_id'] == $this->Auth->user('org_id') && $this->_isAdmin())) {
throw new MethodNotAllowedException(__('You are not authorised to do that.'));
}
if (!Configure::read('MISP.background_jobs')) {
App::uses('SyncTool', 'Tools');
$syncTool = new SyncTool();

View File

@ -247,11 +247,7 @@ class TagCollectionsController extends AppController
}
$tag_id = $this->request->data['tag'];
}
$tagConditions = array();
if (!$this->_isSiteAdmin()) {
$tagConditions['Tag.org_id'] = array('0', $this->Auth->user('org_id'));
$tagConditions['Tag.user_id'] = array('0', $this->Auth->user('id'));
}
$tagConditions = $this->TagCollection->TagCollectionTag->Tag->createConditions($this->Auth->user());
if (!is_numeric($tag_id)) {
$tag_ids = json_decode($tag_id);
$tag_lookups = array();
@ -306,11 +302,8 @@ class TagCollectionsController extends AppController
}
foreach ($tag_id_list as $tag_id) {
$tagConditions = ['Tag.id' => $tag_id];
if (!$this->_isSiteAdmin()) {
$tagConditions['Tag.org_id'] = array('0', $this->Auth->user('org_id'));
$tagConditions['Tag.user_id'] = array('0', $this->Auth->user('id'));
}
$tagConditions = $this->TagCollection->TagCollectionTag->Tag->createConditions($this->Auth->user());
$tagConditions['Tag.id'] = $tag_id;
$tag = $this->TagCollection->TagCollectionTag->Tag->find('first', array(
'conditions' => $tagConditions,
'recursive' => -1,

View File

@ -507,12 +507,9 @@ class TagsController extends AppController
$expanded = $tags;
} elseif ($taxonomy_id === 'favourites') {
$tags = array();
$conditions = array(
'FavouriteTag.user_id' => $user['id'],
'Tag.org_id' => array(0, $user['org_id']),
'Tag.user_id' => array(0, $user['id']),
'Tag.hide_tag' => 0,
);
$conditions = $this->Tag->createConditions($user);
$conditions['FavouriteTag.user_id'] = $user['id'];
$conditions['Tag.hide_tag'] = 0;
if (!$local_tag) {
$conditions['Tag.local_only'] = 0;
}
@ -527,14 +524,9 @@ class TagsController extends AppController
$expanded = $tags;
}
} elseif ($taxonomy_id === 'all') { // all tags
$conditions = [
'Tag.is_galaxy' => 0,
'Tag.hide_tag' => 0,
];
if (!$this->_isSiteAdmin()) {
$conditions['Tag.org_id'] = array(0, $user['org_id']);
$conditions['Tag.user_id'] = array(0, $user['id']);
}
$conditions = $this->Tag->createConditions($user);
$conditions['Tag.is_galaxy'] = 0;
$conditions['Tag.hide_tag'] = 0;
if (!$local_tag) {
$conditions['Tag.local_only'] = 0;
}

View File

@ -14,7 +14,7 @@ class Module extends AppModel
'Cortex' => array('cortex')
);
private $__typeToFamily = array(
const TYPE_TO_FAMILY = array(
'Import' => 'Import',
'Export' => 'Export',
'Action' => 'Action',
@ -113,11 +113,7 @@ class Module extends AppModel
unset($modules[$k]);
continue;
}
if (
!$user['Role']['perm_site_admin'] &&
Configure::read('Plugin.' . $moduleFamily . '_' . $module['name'] . '_restrict') &&
Configure::read('Plugin.' . $moduleFamily . '_' . $module['name'] . '_restrict') != $user['org_id']
) {
if (!$this->canUse($user, $moduleFamily, $module)) {
unset($modules[$k]);
}
}
@ -156,10 +152,10 @@ class Module extends AppModel
*/
public function getEnabledModule($name, $type)
{
if (!isset($this->__typeToFamily[$type])) {
if (!isset(self::TYPE_TO_FAMILY[$type])) {
throw new InvalidArgumentException("Invalid type '$type'.");
}
$moduleFamily = $this->__typeToFamily[$type];
$moduleFamily = self::TYPE_TO_FAMILY[$type];
$modules = $this->getModules($moduleFamily);
if (!Configure::read('Plugin.' . $moduleFamily . '_' . $name . '_enabled')) {
return 'The requested module is not enabled.';
@ -375,14 +371,13 @@ class Module extends AppModel
$name = is_string($key) ? $key : $value['name'];
$moduleSettings[] = [
'name' => $name,
'type' => isset($value['type']) ? $value['type'] : 'string',
'test' => isset($value['test']) ? $value['test'] : null,
'description' => isset($value['description']) ? $value['description'] : null,
'null' => isset($value['null']) ? $value['null'] : null,
'test' => isset($value['test']) ? $value['test'] : null,
'bigField' => isset($value['bigField']) ? $value['bigField'] : false,
'cli_only' => isset($value['cli_only']) ? $value['cli_only'] : false,
'redacted' => isset($value['redacted']) ? $value['redacted'] : false
'type' => $value['type'] ?? 'string',
'description' => $value['description'] ?? null,
'null' => $value['null'] ?? null,
'test' => $value['test'] ?? null,
'bigField' => $value['bigField'] ?? false,
'cli_only' => $value['cli_only'] ?? false,
'redacted' => $value['redacted'] ?? false
];
} else if (is_string($key)) {
$moduleSettings[] = [
@ -402,4 +397,27 @@ class Module extends AppModel
}
return $result;
}
/**
* @param array $user
* @param string $moduleFamily
* @param array $module
* @return bool
*/
public function canUse(array $user, $moduleFamily, array $module)
{
if ($user['Role']['perm_site_admin']) {
return true;
}
$config = Configure::read('Plugin.' . $moduleFamily . '_' . $module['name'] . '_restrict');
if (empty($config)) {
return true;
}
if ($config == $user['org_id']) {
return true;
}
return false;
}
}

View File

@ -173,11 +173,9 @@ class Tag extends AppModel
*/
public function lookupTagIdForUser(array $user, $tagName)
{
$conditions = ['LOWER(Tag.name)' => mb_strtolower($tagName)];
if (!$user['Role']['perm_site_admin']) {
$conditions['Tag.org_id'] = [0, $user['org_id']];
$conditions['Tag.user_id'] = [0, $user['id']];
}
$conditions = $this->createConditions($user);
$conditions['LOWER(Tag.name)'] = mb_strtolower($tagName);
$tagId = $this->find('first', array(
'conditions' => $conditions,
'recursive' => -1,
@ -849,4 +847,18 @@ class Tag extends AppModel
return $data;
}
/**
* @param array $user
* @return array
*/
public function createConditions(array $user)
{
$conditions = [];
if (!$user['Role']['perm_site_admin']) {
$conditions['Tag.org_id'] = [0, $user['org_id']];
$conditions['Tag.user_id'] = [0, $user['id']];
}
return $conditions;
}
}

View File

@ -2,6 +2,9 @@
App::uses('AppModel', 'Model');
/**
* @property TagCollectionTag $TagCollectionTag
*/
class TagCollection extends AppModel
{
public $useTable = 'tag_collections';

View File

@ -2,6 +2,9 @@
App::uses('AppModel', 'Model');
/**
* @property Tag $Tag
*/
class TagCollectionTag extends AppModel
{
public $useTable = 'tag_collection_tags';
@ -25,8 +28,4 @@ class TagCollectionTag extends AppModel
'className' => 'Tag',
)
);
public $validate = array(
);
}