mirror of https://github.com/MISP/MISP
fix: [security] Auth key must be always random generated at server side
parent
f27580f1e6
commit
c06782226a
|
@ -71,15 +71,16 @@ class AuthKeysController extends AppController
|
|||
{
|
||||
$params = [
|
||||
'displayOnSuccess' => 'authkey_display',
|
||||
'saveModelVariable' => ['authkey_raw']
|
||||
'saveModelVariable' => ['authkey_raw'],
|
||||
'override' => ['authkey' => null], // do not allow to use own key, always generate random one
|
||||
];
|
||||
$selectConditions = [];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$selectConditions['AND'][] = ['User.id' => $this->Auth->user('id')];
|
||||
$params['override'] = ['user_id' => $this->Auth->user('id')];
|
||||
$params['override']['user_id'] = $this->Auth->user('id');
|
||||
} else if ($user_id) {
|
||||
$selectConditions['AND'][] = ['User.id' => $user_id];
|
||||
$params['override'] = ['user_id' => $user_id];
|
||||
$params['override']['user_id'] = $user_id;
|
||||
}
|
||||
$this->CRUD->add($params);
|
||||
if ($this->IndexFilter->isRest()) {
|
||||
|
|
|
@ -75,8 +75,6 @@ class CRUDComponent extends Component
|
|||
$input[$modelName][$field] = $value;
|
||||
}
|
||||
}
|
||||
if (isset($input[$modelName]['id'])) {
|
||||
}
|
||||
unset($input[$modelName]['id']);
|
||||
if (!empty($params['fields'])) {
|
||||
$data = [];
|
||||
|
|
|
@ -375,6 +375,13 @@ class TestSecurity(unittest.TestCase):
|
|||
|
||||
self.__delete_advanced_authkey(auth_key["id"])
|
||||
|
||||
def test_advanced_authkeys_own_key_not_possible(self):
|
||||
with MISPSetting(self.admin_misp_connector, "Security.advanced_authkeys", True):
|
||||
authkey = ("a" * 40)
|
||||
auth_key = self.__create_advanced_authkey(self.test_usr.id, {"authkey": authkey})
|
||||
self.__delete_advanced_authkey(auth_key["id"])
|
||||
self.assertNotEqual(authkey, auth_key["authkey"])
|
||||
|
||||
def test_advanced_authkeys_reset_own(self):
|
||||
with self.__setting("Security.advanced_authkeys", True):
|
||||
# Create advanced authkey
|
||||
|
|
Loading…
Reference in New Issue