MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: Fixes the lookup of attributes in the UI attribute search to correctly adhere to sharing groups 

- Attribute search was not correctly adhering to sharing group rules as it wasn't using the centralised lookup method

- As reported by Helge Aksdal
pull/2379/merge
iglocska 2017-08-06 12:25:40 +02:00
parent 04bd85b3d6
commit f9b0ebc199
2 changed files with 51 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
app/Controller/AttributesController.php
View File

@ -10,7 +10,10 @@ class AttributesController extends AppController {
public $paginate = array(
'limit' => 60,
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 events
'conditions' => array('AND' => array('Event.id >' => 0, 'Attribute.deleted' => 0))
'conditions' => array('AND' => array('NOT' => array('Event.id' => 0), 'Attribute.deleted' => 0)),
// Don't sort by default. It's crazy expensive and not really needed in most cases.
// Users can still sort on demand
'order' => 'Attribute.event_id DESC'
);
public $helpers = array('Js' => array('Jquery'));
@ -58,9 +61,7 @@ class AttributesController extends AppController {
$this->Attribute->recursive = 2;
$this->paginate['contain'] = array(
'Event' => array(
'fields' => array('Event.id', 'Event.orgc_id', 'Event.org_id', 'Event.info', 'Event.user_id'),
'Org' => array('fields' => array('id', 'name')),
'Orgc' => array('fields' => array('id', 'name'))
'fields' => array('Event.id', 'Event.orgc_id', 'Event.org_id', 'Event.info', 'Event.user_id')
)
);
if (!$this->_isRest()) {
@ -68,11 +69,19 @@ class AttributesController extends AppController {
}
$this->set('isSearch', 0);
$attributes = $this->paginate();
$org_ids = array();
foreach ($attributes as $k => $attribute) {
if ($attribute['Attribute']['type'] == 'attachment' && preg_match('/.*\.(jpg|png|jpeg|gif)$/i', $attribute['Attribute']['value'])) {
$attributes[$k]['Attribute']['image'] = $this->Attribute->base64EncodeAttachment($attribute['Attribute']);
}
$org_ids[$attribute['Event']['org_id']] = false;
$org_ids[$attribute['Event']['orgc_id']] = false;
}
$orgs = $this->Attribute->Event->Orgc->find('list', array(
'conditions' => array('Orgc.id' => array_keys($org_ids)),
'fields' => array('Orgc.id', 'Orgc.name')
));
$this->set('orgs', $orgs);
$this->set('attributes', $attributes);
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
$this->set('typeDefinitions', $this->Attribute->typeDefinitions);
@ -1544,43 +1553,34 @@ class AttributesController extends AppController {
'Event' => array(
'fields' => array(
'orgc_id', 'id', 'org_id', 'user_id', 'info'
),
'Org' => array(
'fields' => array('id', 'name')
),
'Orgc' => array(
'fields' => array('id', 'name')
),
)
),
)
);
$this->Attribute->contain(array('AttributeTag' => array('Tag')));
if (!$this->_isSiteAdmin()) {
// merge in private conditions
$conditions = $this->Attribute->buildConditions($this->Auth->user());
$this->paginate = Set::merge($this->paginate, array(
'conditions' =>
array("OR" =>
array(
array('Event.org_id =' => $this->Auth->user('org_id')),
array("AND" =>
array('Event.org_id !=' => $this->Auth->user('org_id')),
array('Event.distribution !=' => 0),
array('Attribute.distribution !=' => 0),
Configure::read('MISP.unpublishedprivate') ? array('Event.published =' => 1) : array(),
)
)
)
)
);
'conditions' => $conditions
));
}
$idList = array();
$attributeIdList = array();
$attributes = $this->paginate();
$org_ids = array();
foreach ($attributes as $k => $attribute) {
if ($attribute['Attribute']['type'] == 'attachment' && preg_match('/.*\.(jpg|png|jpeg|gif)$/i', $attribute['Attribute']['value'])) {
$attributes[$k]['Attribute']['image'] = $this->Attribute->base64EncodeAttachment($attribute['Attribute']);
}
$org_ids[$attribute['Event']['org_id']] = false;
$org_ids[$attribute['Event']['orgc_id']] = false;
}
$orgs = $this->Attribute->Event->Orgc->find('list', array(
'conditions' => array('Orgc.id' => array_keys($org_ids)),
'fields' => array('Orgc.id', 'Orgc.name')
));
$this->set('orgs', $orgs);
$this->set('attributes', $attributes);
// if we searched for IOCs only, apply the whitelist to the search result!

43
app/Model/Attribute.php
View File

@ -2173,28 +2173,37 @@ class Attribute extends AppModel {
public function buildConditions($user) {
$conditions = array();
if (!$user['Role']['perm_site_admin']) {
$eventIds = $this->Event->fetchEventIds($user, false, false, false, true);
$sgsids = $this->SharingGroup->fetchAllAuthorised($user);
$sgids = $this->SharingGroup->fetchAllAuthorised($user);
$conditions = array(
'AND' => array(
'OR' => array(
array(
'AND' => array(
'Event.org_id' => $user['org_id'],
)
),
array(
'AND' => array(
'Event.id' => $eventIds,
'OR' => array(
'Attribute.distribution' => array('1', '2', '3', '5'),
'AND '=> array(
'Attribute.distribution' => 4,
'Attribute.sharing_group_id' => $sgsids,
)
array(
'OR' => array(
'Event.org_id' => $user['org_id'],
array(
'AND' => array(
'Event.distribution >' => 0,
'Event.distribution <' => 4,
Configure::read('MISP.unpublishedprivate') ? array('Event.published =' => 1) : array(),
),
),
array(
'AND' => array(
'Event.sharing_group_id' => $sgids,
'Event.distribution' => 4,
Configure::read('MISP.unpublishedprivate') ? array('Event.published =' => 1) : array(),
)
)
)
),
array(
'OR' => array(
'Event.org_id' => $user['org_id'],
'Attribute.distribution' => array('1', '2', '3', '5'),
'AND '=> array(
'Attribute.distribution' => 4,
'Attribute.sharing_group_id' => $sgids,
)
)
)
)
);