iglocska
158036f525
chg: [version] bump
2020-11-02 13:56:08 +01:00
Raphaël Vinot
3b6017a5ed
chg: [PyMISP] Bump version
2020-11-02 10:55:59 +01:00
mokaddem
0971e50752
chg: Bumped queryversion
2020-10-29 19:26:57 +01:00
Jakub Onderka
1993f2235c
chg: [internal] Do not load notifications for ajax requests
2020-10-19 17:28:52 +02:00
Raphaël Vinot
e14192ccf6
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2020-10-16 13:18:16 +02:00
Raphaël Vinot
5527c24d92
chg: Bump PyMISP
2020-10-16 13:17:04 +02:00
Jakub Onderka
0e80b9f498
fix: [freetext] Do not load event page twice when saving freetext
2020-10-11 12:36:00 +02:00
mokaddem
40b3259b7a
fix: [decayingModelSimulation] Correctly extract part of atomic tags
2020-10-06 14:18:05 +02:00
Jakub Onderka
3be0ab9169
chg: [internal] Use ACLComponent for menu item permission
2020-10-03 16:12:44 +02:00
mokaddem
6bcde44950
chg: bumped queryversion
2020-09-28 10:32:14 +02:00
mokaddem
1287b18106
chg: [queryversion] Bumped
2020-09-15 14:07:41 +02:00
Raphaël Vinot
1684478091
chg: [PyMISP] Bump version
2020-09-08 12:47:30 +02:00
Sami Mokaddem
775514ccf8
chg: Bumped queryversion
2020-09-03 16:41:26 +02:00
Golbark
3fb47d1cce
chg: [internal] Using blocklist instead of blacklist
2020-09-01 16:27:36 +02:00
iglocska
704378c919
fix: [JS] broken URLs due to the baseurl refactor
...
- no need to prepend URLs taken from the forms themselves directly.
2020-08-24 17:20:57 +02:00
iglocska
242d25d5e4
chg: [API] GET requests on restsearch with no parameters are no longer allowed.
...
- warn the user of the use of GET queries with posted JSON bodies
2020-08-24 09:04:30 +02:00
Raphaël Vinot
db55589512
chg: [PyMISP] Bump tag
2020-08-20 13:04:44 +02:00
Jakub Onderka
b6116098c0
fix: [security] Throw exception if invalid data provided
2020-08-05 12:39:11 +02:00
Jakub Onderka
67a9d612d5
fix: [security] ACL check when adding or removing tags
2020-08-04 12:23:41 +02:00
Jakub Onderka
db626cf741
fix: [security] Respect ACL when event edit
2020-08-04 12:21:42 +02:00
mokaddem
94aa68c8b4
chg: Bumped queryversion
2020-07-31 13:30:17 +02:00
iglocska
bf4610c947
fix: [security] setting a favourite homepage was not CSRF protected
...
- a user could be lured into setting a MISP home-page outside of the MISP baseurl
- switched the endpoint to be CSRF protection enabled
- as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
2020-07-13 12:19:11 +02:00
Raphaël Vinot
688585b323
chg: [PyMISP] Bump
2020-06-22 14:34:49 +02:00
Raphaël Vinot
5a512063a3
chg: [PyMISP] Bump
2020-06-16 14:30:23 +02:00
Jakub Onderka
8c13330712
fix: [internal] Check if user is logged before checking if he is site admin
2020-05-19 17:11:39 +02:00
Jakub Onderka
df1ed1badf
fix: [internal] Set notifications count and loggedInUserName just for logged users
2020-05-19 17:10:53 +02:00
Raphaël Vinot
b8f0574f71
chg: Bump PyMISP
2020-05-18 12:38:25 +02:00
iglocska
c8e9fa1c76
chg: [roles] allow the creation site admin enabled roles without auth access
2020-05-06 14:53:11 +02:00
iglocska
f278407e91
chg: [VERSION] bump
2020-04-30 11:50:22 +02:00
iglocska
e9c00cb1b4
fix: [otp] pre-auth action list only expanded if otp is enabled
2020-04-29 15:55:22 +02:00
iglocska
6ec8391e46
Merge branch '5726' into 2.4
2020-04-29 15:50:01 +02:00
Andras Iklody
f30959f274
Merge pull request #5561 from JakubOnderka/is_rest_cache
...
chg: [internal] Cache result of AppController::_isRest method
2020-04-28 15:46:24 +02:00
iglocska
03c866fe4e
fix: [registrations] Users can now register using the API without a valid key, affects #5783
2020-04-24 11:39:59 +02:00
iglocska
45e42ca84f
new: [privacy] filter added for the authkeys in the admin section to make giving trainings easier
2020-04-21 08:09:26 +02:00
Golbark
93ba84fd02
Hook into native authentication flow instead of beforefilter
...
which prevents any after-auth bypass and rely on framework
session management.
2020-04-20 12:24:47 +02:00
Golbark
3436bc6ae5
Merge branch '2.4' into email-otp-implementation
...
Conflicts:
app/Model/Server.php
2020-04-20 12:16:25 +02:00
iglocska
078bf123a1
chg: [ACL] added the feed data reload
2020-04-17 14:23:34 +02:00
iglocska
10ab82f830
new: [UI Helper] DataPathCollector helper added
...
- helps the index factory fields retrieve data from the currently processed object based on a set of paths
2020-04-17 14:13:15 +02:00
iglocska
3fa5c3f370
fix: [database] added missing file
2020-04-14 15:17:15 +02:00
iglocska
4ebc0a7988
new: [inbox] system added
...
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
- request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
- they can accept/discard them individually or en masse
- users will be notified of their credentials automatically
- quick user creation if the user asks for an org that doesn't exist yet
2020-04-07 13:21:01 +02:00
Golbark
d254d04365
Rely on session_id instead of user_id and address minor comments
2020-03-26 02:55:14 -07:00
Golbark
309bbc6814
new: usr: Implementation of email-based OTP
2020-03-25 07:45:09 -07:00
iglocska
d7e3674987
new: [audit] Added user monitoring
...
- site admins can set the monitoring flag on a user if the feature is enabled on the instance
- monitored users will have all requests logged along with POST bodies
- keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation
2020-03-25 11:49:33 +01:00
Raphaël Vinot
8beec4e383
chg: Bump PyMISP
2020-03-10 14:31:31 +01:00
iglocska
f1faa7845f
fix: [dashboard] grid scope fix
2020-03-10 11:34:30 +01:00
mokaddem
431ccc6a04
chg: [response header] Added `X-XSS-Protection` header
...
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
2020-03-06 16:06:35 +01:00
iglocska
a40c227ca4
chg: [querystring] bumped
2020-03-02 23:14:55 +01:00
iglocska
0d4df7c98b
new: [Dashboard] system
...
- Dashboard
- modular similar to restSearch
- build your own widgets
- use a set of visualisation options (more coming!)
- full access to internal functions for queries
- auto discover core and 3rd party widgets
- rearrange / configure widgets for each user individually
- rearrange / resize widgets
- settings can be configured by a site-admin on behalf of others
- modules have a self-explain mode to guide users
- caching mechanism for the modules / org
- set homepage / user
- various other fixes
2020-03-01 18:05:21 +01:00
iglocska
4bfcc3211b
new: [API] object level restSearch added
...
still WiP
2020-02-29 08:57:32 +01:00
iglocska
08e0e9d16d
chg: [version] bump
2020-02-26 16:13:12 +01:00