MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [test] Check sighting rest search ACL vol. 2

pull/8729/head
Jakub Onderka 2022-10-31 16:59:30 +01:00
parent a7687c592d
commit ecb88f1c93
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/Model/Sighting.php
View File

@ -800,7 +800,6 @@ class Sighting extends AppModel
*/
public function listSightings(array $user, $ids, $context, $orgId = false, $sightingsType = false, $orderDesc = true)
{
$this->Event = ClassRegistry::init('Event');
$ids = is_array($ids) ? $ids : $this->explodeIdList($ids);
$objectIds = [];

20
tests/testlive_security.py
View File

@ -1564,15 +1564,29 @@ class TestSecurity(unittest.TestCase):
check_response(user1.add_sighting(s, private_event.Attribute[0]))
self.assertEqual(len(user1.sightings(private_event)), 1, "User should see hos own sighting")
sightings = user1.search_sightings("event", private_event.id)
self.assertEqual(len(sightings), 1, sightings)
print(sightings)
org = self.__create_org()
user = self.__create_user(org.id, ROLE.USER)
user2 = PyMISP(url, user.authkey)
user2.global_pythonify = True
self.assertFalse(user2.event_exists(private_event), "User should not see the event")
self.assertEqual(len(user2.sightings(private_event)), 0, "User should not seen any sighting for private event")
self.assertEqual(len(user2.search_sightings("event", private_event.id)), 0,
"User should not seen any sighting from private event from rest search")
sightings = user2.sightings(private_event)
self.assertErrorResponse(sightings, "User should not seen any sighting for private event")
sightings = user2.search_sightings("event", private_event.id)
self.assertEqual(len(sightings), 0, "User should not seen any sighting from private event from rest search")
with self.__setting("Plugin.Sightings_policy", 2): # set sighting policy to everyone
sightings = user2.sightings(private_event)
self.assertErrorResponse(sightings, "User should not seen any sighting for private event")
sightings = user2.search_sightings("event", private_event.id)
self.assertEqual(len(sightings), 0, "User should not seen any sighting from private event from rest search")
self.admin_misp_connector.delete_event(private_event)
self.admin_misp_connector.delete_user(user)