chg: [object:fromAttributes] Method only accesible via AJAX and regular

users can use the feature
2019-06-12 11:17:17 +02:00 · 2019-06-12 11:17:17 +02:00 · d6093b9659
parent b050269949
commit d6093b9659
3 changed files with 12 additions and 9 deletions
--- a/app/Controller/Component/ACLComponent.php
+++ b/app/Controller/Component/ACLComponent.php
@ -250,8 +250,8 @@ class ACLComponent extends Component
                'edit' => array('perm_add'),
                'get_row' => array('perm_add'),
                'orphanedObjectDiagnostics' => array(),
-                'proposeObjectsFromAttributes' => array(),
-                'groupAttributesIntoObject' => array(),
+                'proposeObjectsFromAttributes' => array('*'),
+                'groupAttributesIntoObject' => array('perm_add'),
                'revise_object' => array('perm_add'),
                'view' => array('*'),
            ),
--- a/app/Controller/ObjectsController.php
+++ b/app/Controller/ObjectsController.php
@ -992,6 +992,9 @@ class ObjectsController extends AppController

    function proposeObjectsFromAttributes($event_id, $selected_attributes='[]')
    {
+        if (!$this->request->is('ajax')) {
+            throw new MethodNotAllowedException(__('This action can only be reached via AJAX.'));
+        }
        $selected_attributes = json_decode($selected_attributes, true);
        $res = $this->MispObject->validObjectsFromAttributeTypes($this->Auth->user(), $event_id, $selected_attributes);
        $potential_templates = $res['templates'];
@ -1025,10 +1028,10 @@ class ObjectsController extends AppController
            throw new NotFoundException(__('Invalid event.'));
        }
        $hard_delete_attribute = $event['Event']['publish_timestamp'] == 0;
+        if (!$this->request->is('ajax')) {
+            throw new MethodNotAllowedException(__('This action can only be reached via AJAX.'));
+        }
        if ($this->request->is('post')) {
-            if (!$this->request->is('ajax')) {
-                throw new MethodNotAllowedException(__('This action can only be reached via AJAX.'));
-            }
            $template = $this->MispObject->ObjectTemplate->find('first', array(
                'recursive' => -1,
                'conditions' => array('ObjectTemplate.id' => $selected_template, 'ObjectTemplate.active' => true)
--- a/app/Model/MispObject.php
+++ b/app/Model/MispObject.php
@ -728,12 +728,12 @@ class MispObject extends AppModel

    public function validObjectsFromAttributeTypes($user, $event_id, $selected_attribute_ids)
    {
-        $attributes = $this->Attribute->fetchAttributesSimple($user,
+        $attributes = $this->Attribute->fetchAttributes($user,
            array(
                'conditions' => array(
-                    'id' => $selected_attribute_ids,
-                    'event_id' => $event_id,
-                    'object_id' => 0
+                    'Attribute.id' => $selected_attribute_ids,
+                    'Attribute.event_id' => $event_id,
+                    'Attribute.object_id' => 0
                ),
            )
        );