mirror of https://github.com/MISP/MISP
fix: [authkeys] tighter controls over adding authkeys
- only allow to add authkeys to your own user and any user in your own organisation that is not org admin / site admin - correctly filter the authkey add dialogue for the requested user if going through a user profile - as reported by @oivindohpull/8277/head
parent
87a9d8b960
commit
e987019748
|
@ -21,10 +21,40 @@ class AuthKeysController extends AppController
|
|||
public function index($id = false)
|
||||
{
|
||||
$conditions = $this->__prepareConditions();
|
||||
if ($id !== false) {
|
||||
$canCreateAuthkey = true;
|
||||
if ($id) {
|
||||
$this->set('user_id', $id);
|
||||
if ($this->_isAdmin()) {
|
||||
if ($this->_isSiteAdmin()) {
|
||||
$canCreateAuthkey = true;
|
||||
} else {
|
||||
$user = $this->AuthKey->User->find('first', [
|
||||
'recursive' => -1,
|
||||
'conditions' => [
|
||||
'User.id' => $id,
|
||||
'User.disabled' => false
|
||||
],
|
||||
'fields' => ['User.id', 'User.org_id', 'User.disabled'],
|
||||
'contain' => [
|
||||
'Role' => [
|
||||
'fields' => [
|
||||
'Role.perm_site_admin', 'Role.perm_admin'
|
||||
]
|
||||
]
|
||||
]
|
||||
]);
|
||||
if ($user['Role']['perm_site_admin'] || ($user['Role']['perm_admin'] && $user['User']['id'] !== $this->Auth->user('id'))) {
|
||||
$canCreateAuthkey = false;
|
||||
} else {
|
||||
$canCreateAuthkey = true;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$canCreateAuthkey = (int)$id === (int)$this->Auth->user('id');
|
||||
}
|
||||
$conditions['AND'][] = ['AuthKey.user_id' => $id];
|
||||
}
|
||||
$this->set('canCreateAuthkey', $canCreateAuthkey);
|
||||
$keyUsageEnabled = Configure::read('MISP.log_user_ips') && Configure::read('MISP.log_user_ips_authkeys');
|
||||
$this->CRUD->index([
|
||||
'filters' => ['User.email', 'authkey_start', 'authkey_end', 'comment', 'User.id'],
|
||||
|
@ -123,8 +153,40 @@ class AuthKeysController extends AppController
|
|||
}
|
||||
$selectConditions = [];
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
$selectConditions['AND'][] = ['User.id' => $this->Auth->user('id')];
|
||||
$params['override']['user_id'] = $this->Auth->user('id');
|
||||
if ($this->_isAdmin()) {
|
||||
$role_ids = $this->AuthKey->User->Role->find('column', [
|
||||
'fields' => ['Role.id'],
|
||||
'conditions' => [
|
||||
'AND' => [
|
||||
'Role.perm_site_admin' => false,
|
||||
'Role.perm_auth' => true,
|
||||
'Role.perm_admin' => false
|
||||
]
|
||||
]
|
||||
]);
|
||||
$user_ids = $this->AuthKey->User->find('column', [
|
||||
'fields' => ['User.id'],
|
||||
'conditions' => [
|
||||
'User.org_id' => $this->Auth->user('org_id'),
|
||||
'OR' => [
|
||||
'User.role_id' => $role_ids,
|
||||
'User.id' => $this->Auth->user('id')
|
||||
]
|
||||
]
|
||||
]);
|
||||
if (!empty($user_id)) {
|
||||
if (in_array($user_id, $user_ids)) {
|
||||
$user_ids = [$user_id];
|
||||
} else {
|
||||
throw new MethodNotAllowedException(__('Invalid user or insufficient privileges to create an authkey for the given user.'));
|
||||
}
|
||||
}
|
||||
$selectConditions['AND'][] = ['User.id' => $user_ids];
|
||||
$params['override']['user_id'] = $user_ids;
|
||||
} else {
|
||||
$selectConditions['AND'][] = ['User.id' => $this->Auth->user('id')];
|
||||
$params['override']['user_id'] = $this->Auth->user('id');
|
||||
}
|
||||
} else if ($user_id) {
|
||||
$selectConditions['AND'][] = ['User.id' => $user_id];
|
||||
$params['override']['user_id'] = $user_id;
|
||||
|
|
|
@ -24,7 +24,8 @@
|
|||
$baseurl,
|
||||
empty($user_id) ? '' : ('/' . $user_id)
|
||||
)
|
||||
]
|
||||
],
|
||||
'requirement' => $canCreateAuthkey
|
||||
]
|
||||
]
|
||||
],
|
||||
|
|
Loading…
Reference in New Issue