Merge branch 'fix_1311_only_show_API/authkey_to_user_with_rights' of https://github.com/cristianbell/MISP into cristianbell-fix_1311_only_show_API/authkey_to_user_with_rights

app/Controller/Component/ACLComponent.php

@@ -334,6 +334,7 @@ class ACLComponent extends Component {
 					'logout' => array('*'),
 					'attributehistogram' => array('*'),
 					'resetauthkey' => array('*'),
+					'request_API' => array('*'),
 					'routeafterlogin' => array('*'),
 					'statistics' => array('*'),
 					'terms' => array('*'),

app/Controller/UsersController.php

@@ -36,12 +36,29 @@ class UsersController extends AppController {
 		}
 		$this->User->id = $id;
 		$this->User->recursive = 0;
+
 		if (!$this->User->exists()) {
 			throw new NotFoundException(__('Invalid user'));
 		}
 		$this->set('user', $this->User->read(null, $id));
 	}
 
+	public function request_API(){
+		$responsibleAdmin = $this->User->findAdminsResponsibleForUser($this->Auth->user());
+		$message = "Something went wrong, please try again later.";
+		if(isset($responsibleAdmin['email']) && !empty($responsibleAdmin['email'])){
+			$subject = "[MISP ".Configure::read('MISP.org')."] User requesting API access";
+			$body = "A user (".$this->Auth->user('email').") has sent you a request to enable his/her API key access.<br/>";
+			$body .= "Click <a href=\"".Configure::read('MISP.baseurl')."\">here</a> to edit his profile to change his role.";
+			$user = $this->User->find('first', array('conditions' => array('User.id' => $this->Auth->user('id'))));
+			$result = $this->User->sendEmail($user, $body, false, $subject);
+			if($result)
+				$message = "API access requested.";
+		}
+		$this->set('message', $message);
+		$this->layout = 'ajax';
+	}
+
 	public function edit($id = null) {
 		if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
 		$me = false;
@@ -671,6 +688,10 @@ class UsersController extends AppController {
 			$this->Session->setFlash(__('Invalid id for user', true), 'default', array(), 'error');
 			$this->redirect(array('action' => 'view', $this->Auth->user('id')));
 		}
+		if (!$this->userRole['perm_auth']) {
+			$this->Session->setFlash(__('Invalid action', true), 'default', array(), 'error');
+			$this->redirect(array('action' => 'view', $this->Auth->user('id')));
+		}
 		// reset the key
 		$this->User->id = $id;
 		if (!$this->User->exists($id)) {

app/Model/User.php

@@ -898,4 +898,35 @@ class User extends AppModel {
 		}
 		return $usersPerOrg;
 	}
+
+	public function findAdminsResponsibleForUser($user){
+		$admin = $this->find('first', array(
+			'recursive' => -1,
+			'conditions' => array(
+				'Role.perm_site_admin' => 0,
+				'Role.perm_admin' => 1,
+				'User.disabled' => 0,
+				'User.org_id' => $user['org_id']
+			),
+			'contain' => array(
+				'Role' => array('fields' => array('perm_admin', 'perm_site_admin'))
+			),
+			'fields' => array('User.id', 'User.email', 'User.org_id')
+		));
+		if(count($admin) == 0) {
+			$admin = $this->find('first', array(
+				'recursive' => -1,
+				'conditions' => array(
+					'Role.perm_site_admin' => 1,
+					'User.disabled' => 0,
+				),
+				'contain' => array(
+					'Role' => array('fields' => array('perm_site_admin'))
+				),
+				'fields' => array('User.id', 'User.email', 'User.org_id')
+			));
+		}
+
+		return $admin['User'];
+	}
 }

app/View/Users/request__a_p_i.ctp

@@ -0,0 +1,5 @@
+<div class="message2user"><br />
+	<div><?php echo $message; ?></div>
+	<br />
+	<span class="btn btn-inverse" onClick="cancelPrompt();" style="float:right;">Close</span>
+</div>

app/View/Users/view.ctp

@@ -34,9 +34,13 @@
 		<dt><?php echo __('Authkey'); ?></dt>
 		<dd>
 			<?php
-				echo h($user['User']['authkey']);
-				if (!Configure::read('MISP.disableUserSelfManagement') || $isAdmin) {
-					echo '(' . $this->Html->link('reset', array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id'])) . ')';
+				if ($user['Role']['perm_auth']) {
+					echo h($user['User']['authkey']);
+					if (!Configure::read('MISP.disableUserSelfManagement') || $isAdmin) {
+						echo '(' . $this->Html->link('reset', array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id'])) . ')';
+					}
+				} else {
+					echo "<a onclick=\"requestAPIAccess()\" style=\"cursor:pointer;\">Request API access</a>";
 				}
 			?>
 			&nbsp;

app/webroot/css/main.css

@@ -1600,6 +1600,9 @@ a.discrete {
     background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
 }
 
+#confirmation_box .message2user div{text-align: center;}
+#confirmation_box .message2user .btn{margin: -1em 0.6em 0.6em;}
+
 @-webkit-keyframes rotation {
    from {-webkit-transform: rotate(0deg);}
    to {-webkit-transform: rotate(359deg);}

app/webroot/js/misp2.4.51.js

@@ -60,6 +60,11 @@ function cancelPrompt() {
 	$("#confirmation_box").empty();
 }
 
+function showPrompt(){
+	$("#confirmation_box").fadeIn();
+	$("#gray_out").fadeIn();
+}
+
 function submitDeletion(context_id, action, type, id) {
 	var context = 'event';
 	if (type == 'template_elements') context = 'template';
@@ -2498,6 +2503,25 @@ function serverOwnerOrganisationChange(host_org_id) {
 	}
 }
 
+function requestAPIAccess() {
+	url = "/users/request_API/";
+	$.ajax({
+		type:"get",
+		url:url,
+		beforeSend: function (XMLHttpRequest) {
+			$(".loading").show();
+		},
+		success:function (data) {
+			$("#confirmation_box").html(data);
+			showPrompt();
+			$(".loading").hide();
+		},
+		error:function() {
+			showMessage('fail', 'Something went wrong - could not request API access.');
+		}
+	});
+}
+
 $('.servers_default_role_checkbox').click(function() {
 	var id = $(this).data("id");
 	var state = $(this).is(":checked");
@@ -2516,4 +2540,4 @@ $('.servers_default_role_checkbox').click(function() {
 		cache: false,
 		url: '/admin/roles/set_default/' + (state ? id : ""),
 	});
-});
+});