MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [security] Check org list when accessing distribution graph

pull/6749/head
Jakub Onderka 2020-12-14 13:38:04 +01:00
parent 800da386ff
commit bf27358584
2 changed files with 49 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
app/Lib/Tools/DistributionGraphTool.php
View File

@ -1,12 +1,15 @@
<?php
class DistributionGraphTool
{
private $__user = false;
/** @var array */
private $__user;
private $__json = array();
/** @var Event */
private $__eventModel;
/** @var Organisation */
private $__organisationModel;
/** @var array */
private $__serverList;
public function construct(Event $eventModel, array $servers, array $user, $extended_view=0)
{
@ -76,27 +79,27 @@ class DistributionGraphTool
$this->__addAdditionalDistributionInfo(3, "All other communities"); // add current community
// connected
$servers = $this->__serverList;
$this->__addAdditionalDistributionInfo(2, "This community"); // add current community
foreach ($servers as $server) {
foreach ($this->__serverList as $server) {
$this->__addAdditionalDistributionInfo(2, $server);
}
// community
$orgConditions = $this->__organisationModel->createConditions($this->__user);
$orgConditions['local'] = true;
$orgs = $this->__organisationModel->find('list', array(
'fields' => array('name'),
'conditions' => array('local' => true)
'fields' => ['id', 'name'],
'conditions' => $orgConditions,
));
$thisOrg = $this->__user['Organisation']['name'];
$this->__addAdditionalDistributionInfo(1, $thisOrg); // add current community
foreach ($orgs as $org) {
if ($thisOrg != $org) {
$this->__addAdditionalDistributionInfo(1, $org);
foreach ($orgs as $orgId => $orgName) {
if ($thisOrg != $orgName) {
$this->__addAdditionalDistributionInfo(1, $orgName);
}
}
// org only
$thisOrg = $this->__user['Organisation']['name'];
$this->__addAdditionalDistributionInfo(0, $thisOrg); // add current community
}

37
app/Model/Organisation.php
View File

@ -486,6 +486,7 @@ class Organisation extends AppModel
/**
* Hide organisation view from users if they haven't yet contributed data and Security.hide_organisation_index_from_users is enabled
*
* @see Organisation::canSee if you want to check multiple orgs
* @param array $user
* @param int $orgId
* @return bool
@ -521,6 +522,42 @@ class Organisation extends AppModel
return true;
}
/**
* Create conditions for fetching orgs based on user permission.
* @see Organisation::canSee if you want to check just one org
* @param array $user
* @return array|array[]
*/
public function createConditions(array $user)
{
if (!$user['Role']['perm_sharing_group'] && Configure::read('Security.hide_organisation_index_from_users')) {
$allowedOrgs = [$user['org_id']];
$eventConditions = $this->Event->createEventConditions($user);
$orgsWithEvent = array_column(array_column($this->Event->find('all', [
'fields' => ['DISTINCT Event.orgc_id'],
'recursive' => -1,
'conditions' => $eventConditions,
]), 'Event'), 'orgc_id');
$allowedOrgs = array_merge($allowedOrgs, $orgsWithEvent);
$proposalConditions = $this->Event->ShadowAttribute->buildConditions($user);
// Do not check orgs that we already can see
$proposalConditions['AND'][]['NOT'] = ['ShadowAttribute.org_id' => $allowedOrgs];
$orgsWithProposal = array_column(array_column($this->Event->ShadowAttribute->find('all', [
'fields' => ['DISTINCT ShadowAttribute.org_id'],
'recursive' => -1,
'conditions' => $proposalConditions,
'contain' => ['Event', 'Attribute'],
]), 'ShadowAttribute'), 'org_id');
$allowedOrgs = array_merge($allowedOrgs, $orgsWithProposal);
return ['AND' => ['id' => $allowedOrgs]];
}
return [];
}
private function getCountryGalaxyCluster()
{
static $list;