new: [event:publication] Added new setting to block event publication if the user is the creator

Enabling this setting will change the behavior of MISP so that it will block the publication of an Event if the publisher is the same as the event creator.
2023-12-18 09:58:24 +01:00 · 2023-12-18 09:58:24 +01:00 · fc135af841
parent c8f7f89cb6
commit fc135af841
2 changed files with 19 additions and 1 deletions
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@ -3187,7 +3187,7 @@ class EventsController extends AppController
        $event = $this->Event->find('first', [
            'conditions' => Validation::uuid($id) ? ['Event.uuid' => $id] : ['Event.id' => $id],
            'recursive' => -1,
-            'fields' => ['id', 'info', 'publish_timestamp', 'orgc_id'],
+            'fields' => ['id', 'info', 'publish_timestamp', 'orgc_id', 'user_id'],
        ]);
        if (empty($event)) {
            throw new NotFoundException(__('Invalid event.'));
@ -3206,6 +3206,16 @@ class EventsController extends AppController
                }
            }
        }
+        if (
+            Configure::read('MISP.block_publishing_for_same_creator', false) &&
+            $this->Auth->user()['id'] == $event['Event']['user_id']
+        ) {
+            $message = __('Could not publish event, the user cannot be the same as the event creator');
+            if (!$this->_isRest()) {
+                $this->Flash->error($message);
+            }
+            throw new MethodNotAllowedException($message);
+        }

        return $event;
    }
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -6135,6 +6135,14 @@ class Server extends AppModel
                    'type' => 'boolean',
                    'null' => true,
                ],
+                'block_publishing_for_same_creator' => [
+                    'level' => self::SETTING_OPTIONAL,
+                    'description' => __('Enable this setting will make MISP blocks publishing if the publisher is the same as the event creator'),
+                    'value' => false,
+                    'test' => 'testBool',
+                    'type' => 'boolean',
+                    'null' => true,
+                ],
                'self_update' => [
                    'level' => self::SETTING_CRITICAL,
                    'description' => __('Enable the GUI button for MISP self-update on the Diagnostics page.'),