From 9640dcd4ed51294ad9dd76bf2c14e645d584760d Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Tue, 22 Apr 2014 10:36:37 +0200
Subject: [PATCH] Automation authentication via header fixes #254

- Authentication via headers was only allowed if _isRest() returned true
- this only happened for pages returning JSON or XML content

- a new check, _isAutomation() was added that allows authentication via headers for certain methods used by the automation system
---
 app/Controller/AppController.php | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php
index 9f41cf266..5a70e40c2 100755
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@@ -41,6 +41,13 @@ class AppController extends Controller {
 	public $defaultModel = '';
 
 	public $debugMode = false;
+	
+	// Used for _isAutomation(), a check that returns true if the controller & action combo matches an action that is a non-xml and non-json automation method
+	// This is used to allow authentication via headers for methods not covered by _isRest() - as that only checks for JSON and XML formats 
+	public $automationArray = array(
+		'events' => array('csv', 'nids', 'hids'),
+		'attributes' => array('text', 'downloadAttachment'),
+	);
 
 	public function __construct($id = false, $table = null, $ds = null) {
 		parent::__construct($id, $table, $ds);
@@ -71,13 +78,12 @@ class AppController extends Controller {
 	public $mispVersion = '2.2.0';
 	
 	public function beforeFilter() {
-		
 		// send users away that are using ancient versions of IE
 		// Make sure to update this if IE 20 comes out :)
 		if(preg_match('/(?i)msie [2-8]/',$_SERVER['HTTP_USER_AGENT']) && !strpos($_SERVER['HTTP_USER_AGENT'], 'Opera')) throw new MethodNotAllowedException('You are using an unsecure and outdated version of IE, please download Google Chrome, Mozilla Firefox or update to a newer version of IE. If you are running IE9 or newer and still receive this error message, please make sure that you are not running your browser in compatibility mode. If you still have issues accessing the site, get in touch with your administration team at ' . Configure::read('MISP.contact'));
 		
 		// REST authentication
-		if ($this->_isRest() || $this->isJson()) {
+		if ($this->_isRest() || $this->_isAutomation()) {
 			// disable CSRF for REST access
 			if (array_key_exists('Security', $this->components))
 				$this->Security->csrfCheck = false;
@@ -154,7 +160,7 @@ class AppController extends Controller {
 
 	public $userRole = null;
 
-	public function isJson(){
+	protected function _isJson(){
 		return $this->request->header('Accept') === 'application/json';
 	}
 
@@ -165,7 +171,14 @@ class AppController extends Controller {
 	//}
 
 	protected function _isRest() {
-		return (isset($this->RequestHandler) && ($this->RequestHandler->isXml() || $this->isJson()));
+		return (isset($this->RequestHandler) && ($this->RequestHandler->isXml() || $this->_isJson()));
+	}
+	
+	protected function _isAutomation() {
+		foreach ($this->automationArray as $controllerName => $controllerActions) {
+			if ($this->params['controller'] == $controllerName && in_array($this->params['action'], $controllerActions)) return true;
+		}
+		return false;
 	}
 
 	private function _getProposalCount() {