mirror of https://github.com/MISP/MISP
fix: [local tags] Host org non admin users should be able to tag data owned by others, partially fixes #4925
iglocska
parent
f6df9c2767
commit
e5cfd152cf
|
|
@ -3122,9 +3122,11 @@ class AttributesController extends AppController
|
|||
if (empty($attribute)) {
|
||||
throw new NotFoundException(__('Invalid attribute'));
|
||||
}
|
||||
if (!$this->_isSiteAdmin() && $attribute['Event']['orgc_id'] !== $this->Auth->user('org_id')) {
|
||||
$fails++;
|
||||
continue;
|
||||
if ((!$this->userRole['perm_sync'] && !$this->_isSiteAdmin()) && $attribute['Event']['orgc_id'] !== $this->Auth->user('org_id')) {
|
||||
if (Configure::read('MISP.host_org_id') != $this->Auth->user('org_id') || !$local) {
|
||||
$fails++;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
$eventId = $attribute['Attribute']['event_id'];
|
||||
$event = $this->Attribute->Event->find('first', array(
|
||||
|
|
|
|||
|
|
@ -3666,8 +3666,15 @@ class EventsController extends AppController
|
|||
$tag_id = $this->request->data['tag'];
|
||||
}
|
||||
if (!$this->_isSiteAdmin() && !$this->userRole['perm_sync']) {
|
||||
if (!$this->userRole['perm_tagger'] || ($this->Auth->user('org_id') !== $event['Event']['orgc_id'])) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'You don\'t have permission to do that.')), 'status'=>200, 'type' => 'json'));
|
||||
if (
|
||||
!$this->userRole['perm_tagger'] ||
|
||||
(
|
||||
$this->Auth->user('org_id') !== $event['Event']['orgc_id']
|
||||
)
|
||||
) {
|
||||
if (Configure::read('MISP.host_org_id') != $this->Auth->user('org_id') || !$local) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'You don\'t have permission to do that.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
}
|
||||
}
|
||||
$conditions = array('LOWER(Tag.name) LIKE' => strtolower(trim($tag_id)));
|
||||
|
|
|
|||
Loading…
Reference in New Issue