Permission checks

2015-11-14 17:27:06 +01:00 · 2015-11-14 17:27:06 +01:00 · f36e00e944
parent 8cc0996c3c
commit f36e00e944
4 changed files with 7 additions and 4 deletions
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -436,7 +436,7 @@ class AppController extends Controller {
 	}
 	
 	public function upgrade2324() {
-		if (!$this->_isSiteAdmin()) throw new MethodNotAllowedException();
+		if (!$this->_isSiteAdmin() || !$this->request->is('post')) throw new MethodNotAllowedException();
 		$this->loadModel('Server');
 		if (!Configure::read('MISP.background_jobs')) {
 			$this->Server->upgrade2324($this->Auth->user('id'));
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@ -2203,7 +2203,7 @@ class AttributesController extends AppController {
 		$this->redirect('/pages/display/administration');
 	}
 	
-	public function arcsight() {
+	/*public function arcsight() {
 		if (!$this->userRole['perm_auth']) throw new MethodNotAllowedException('This functionality requires API key access.');
 		if ($tags) $tags = str_replace(';', ':', $tags);
 		$simpleFalse = array('value' , 'type', 'category', 'org', 'tags', 'from', 'to');
@ -2219,5 +2219,5 @@ class AttributesController extends AppController {
 		if ($this->request->is('post')) {
 			
 		}
-	}
+	}*/
 }
--- a/app/Controller/OrganisationsController.php
+++ b/app/Controller/OrganisationsController.php
@ -78,6 +78,7 @@ class OrganisationsController extends AppController {
 	}
 	
 	public function admin_delete($id) {
+		if (!$this->request->is('post')) throw new MethodNotAllowedException('Action not allowed, post request expected.');
 		$this->Organisation->id = $id;
 		if (!$this->Organisation->exists()) throw new NotFoundException('Invalid organisation');
 		
--- a/app/Controller/SharingGroupsController.php
+++ b/app/Controller/SharingGroupsController.php
@ -21,7 +21,7 @@ class SharingGroupsController extends AppController {
 	);
 	
 	public function add() {
-		// add check for perm_sharing_group
+		if (!$this->userRole['perm_sharing_group']) throw new MethodNotAllowedException('You don\'t have the required privileges to do that.');
 		if($this->request->is('post')) {
 			$json = json_decode($this->request->data['SharingGroup']['json'], true);
 			$this->SharingGroup->create();
@ -73,6 +73,7 @@ class SharingGroupsController extends AppController {
 	}
 	
 	public function edit($id) {
+		if (!$this->userRole['perm_sharing_group']) throw new MethodNotAllowedException('You don\'t have the required privileges to do that.');
 		// add check for perm_sharing_group
 		$this->SharingGroup->id = $id;
 		if (!$this->SharingGroup->exists()) throw new NotFoundException('Invalid sharing group.');
@ -129,6 +130,7 @@ class SharingGroupsController extends AppController {
 	}
 	
 	public function delete($id) {
+		if (!$this->userRole['perm_sharing_group']) throw new MethodNotAllowedException('You don\'t have the required privileges to do that.');
 		if (!$this->request->is('post')) throw new MethodNotAllowedException('Action not allowed, post request expected.');
 		if (!$this->SharingGroup->checkIfOwner($this->Auth->user(), $id)) throw new MethodNotAllowedException('Action not allowed.');
 		$deletedSg = $this->SharingGroup->find('first', array(