Jakub Onderka
640e9492d7
new: [security] Put information about key expiration into response header
2020-12-17 13:50:25 +01:00
Jakub Onderka
8df77748b0
chg: [internal] Small optimisations
2020-12-17 13:50:25 +01:00
Jakub Onderka
d92123c915
fix: [security] Do not allow to use API key authenticated session to do non API calls
2020-12-17 13:50:25 +01:00
Jakub Onderka
9896f67358
new: [security] New setting Security.username_in_response_header
2020-12-17 13:50:25 +01:00
Jakub Onderka
feab5f553b
chg: [interna] AppController code cleanup
2020-12-17 13:50:23 +01:00
Jakub Onderka
4c6ffc6985
chg: [internal] Rename MISP.log_user_ips_auth -> MISP.log_user_ips_authkeys
2020-12-17 13:49:32 +01:00
Jakub Onderka
8662a7efaf
chg: [internal] Move access monitoring to own method
2020-12-17 13:49:32 +01:00
Jakub Onderka
ee8a495d89
new: [internal] Show auth key usage in key view page
2020-12-17 13:49:32 +01:00
Jakub Onderka
c6bf9de3ca
fix: [internal] Remove unused variables
2020-12-17 13:49:32 +01:00
Jakub Onderka
6821556000
chg: [internal] Allow to reuse session for API requests
2020-12-17 13:49:32 +01:00
Jakub Onderka
e5e855b3c2
new: [internal] Allow to log authkey usage in Redis
2020-12-17 13:49:32 +01:00
Jakub Onderka
6ce13b8168
chg: [internal] Do not log full authkeys
2020-12-17 13:49:32 +01:00
Jakub Onderka
a0fb186a3c
chg: [internal] Simplify User::describeAuthFields
2020-12-17 13:49:32 +01:00
Jakub Onderka
d0ec184796
fix: [internal] Remove unused $user siteadmin variable
2020-12-17 13:49:32 +01:00
Jakub Onderka
49b85ed33c
chg: [internal] Load just necessary info when loading homepage info
2020-12-17 13:49:32 +01:00
Jakub Onderka
18402c0489
chg: [internal] Load user role info from session data
2020-12-17 13:49:32 +01:00
Jakub Onderka
7f0d06ae4d
chg: [internal] Move user checks to one place
2020-12-17 13:49:32 +01:00
Jakub Onderka
becbf95c37
new: [UI] Download GPG public key from GPG homedir
2020-12-17 13:19:55 +01:00
iglocska
a332e1379c
Merge branch '2.4' into cerebrate
2020-11-30 23:49:40 +01:00
iglocska
320191bbd8
chg: [querystring] bump
2020-11-30 23:46:37 +01:00
Jakub Onderka
2c7d6e4466
new: [auth] Allow to enforce auth plugin authentication
2020-11-30 14:46:36 +01:00
Jakub Onderka
165da72fdf
fix: [internal] Remove unused method from AppController
2020-11-27 09:01:35 +01:00
Jakub Onderka
e15ca97f33
Merge pull request #6081 from JakubOnderka/security_disable_browser_cache
...
new: [security] HTTP headers hardening
2020-11-24 21:00:02 +01:00
Raphaël Vinot
7dab02b1e5
chg: [PyMISP] Bump version
2020-11-23 10:07:11 +01:00
mokaddem
e45174f83c
fix: [appController] Prevent notice for `perm_galaxy_editor` if update is still running
2020-11-19 17:35:30 +01:00
mokaddem
89f307bd07
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0
2020-11-18 09:22:40 +01:00
Jakub Onderka
12f84b0d69
Merge pull request #6587 from JakubOnderka/authkey-view
...
Authkey view permission fix
2020-11-17 21:25:38 +01:00
mokaddem
9db29821b4
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0
2020-11-16 16:11:17 +01:00
Jakub Onderka
c51cd36ac3
fix: [internal] Destroy session just when session is started
2020-11-16 14:58:12 +01:00
Jakub Onderka
000706251b
fix: [security] Proper check who can view new authkeys
2020-11-15 18:04:34 +01:00
mokaddem
dc65c79130
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0
2020-11-13 16:26:35 +01:00
mokaddem
1879bc05b7
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0
2020-11-12 09:05:12 +01:00
iglocska
dbffebe503
Merge branch '2.4' into CRUD
2020-11-11 11:19:23 +01:00
mokaddem
17c793d10f
chg: Bumped queryversion
2020-11-10 13:31:43 +01:00
mokaddem
150b4cb7d1
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0
2020-11-09 10:07:43 +01:00
mokaddem
37072e309f
chg: Bumped queryversion
2020-11-09 09:03:55 +01:00
Jakub Onderka
5d6c1abe3c
Merge pull request #6519 from JakubOnderka/update-login-times
...
fix: [internal] Properly set login time for custom auth
2020-11-07 09:58:54 +01:00
mokaddem
1bf5c599f2
chg: bumped queryversion
2020-11-06 16:36:34 +01:00
iglocska
158036f525
chg: [version] bump
2020-11-02 13:56:08 +01:00
Raphaël Vinot
3b6017a5ed
chg: [PyMISP] Bump version
2020-11-02 10:55:59 +01:00
mokaddem
0971e50752
chg: Bumped queryversion
2020-10-29 19:26:57 +01:00
Jakub Onderka
5a4ba9cbc1
fix: [internal] Properly set login times for custom auth
2020-10-29 17:53:11 +01:00
iglocska
62bbc95472
Merge branch '2.4' into CRUD
2020-10-20 02:01:21 +02:00
iglocska
68f2425af1
chg: [authkey] system tied into authentication
2020-10-20 01:48:16 +02:00
Jakub Onderka
63ae5c16e0
new: [security] New setting to check `Sec-Fetch-Site` header
2020-10-19 19:24:09 +02:00
Jakub Onderka
1993f2235c
chg: [internal] Do not load notifications for ajax requests
2020-10-19 17:28:52 +02:00
Jakub Onderka
5e12063620
new: [security] Add new `Security.disable_browser_cache` option to disable saving data to browser cache
2020-10-18 18:53:57 +02:00
Raphaël Vinot
e14192ccf6
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2020-10-16 13:18:16 +02:00
Raphaël Vinot
5527c24d92
chg: Bump PyMISP
2020-10-16 13:17:04 +02:00
Jakub Onderka
0e80b9f498
fix: [freetext] Do not load event page twice when saving freetext
2020-10-11 12:36:00 +02:00
mokaddem
40b3259b7a
fix: [decayingModelSimulation] Correctly extract part of atomic tags
2020-10-06 14:18:05 +02:00
Jakub Onderka
3be0ab9169
chg: [internal] Use ACLComponent for menu item permission
2020-10-03 16:12:44 +02:00
mokaddem
6bcde44950
chg: bumped queryversion
2020-09-28 10:32:14 +02:00
mokaddem
eb84b3344f
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0
2020-09-22 12:08:12 +02:00
mokaddem
1287b18106
chg: [queryversion] Bumped
2020-09-15 14:07:41 +02:00
Raphaël Vinot
1684478091
chg: [PyMISP] Bump version
2020-09-08 12:47:30 +02:00
Sami Mokaddem
775514ccf8
chg: Bumped queryversion
2020-09-03 16:41:26 +02:00
Golbark
3fb47d1cce
chg: [internal] Using blocklist instead of blacklist
2020-09-01 16:27:36 +02:00
iglocska
704378c919
fix: [JS] broken URLs due to the baseurl refactor
...
- no need to prepend URLs taken from the forms themselves directly.
2020-08-24 17:20:57 +02:00
iglocska
242d25d5e4
chg: [API] GET requests on restsearch with no parameters are no longer allowed.
...
- warn the user of the use of GET queries with posted JSON bodies
2020-08-24 09:04:30 +02:00
Raphaël Vinot
db55589512
chg: [PyMISP] Bump tag
2020-08-20 13:04:44 +02:00
Jakub Onderka
b6116098c0
fix: [security] Throw exception if invalid data provided
2020-08-05 12:39:11 +02:00
Jakub Onderka
67a9d612d5
fix: [security] ACL check when adding or removing tags
2020-08-04 12:23:41 +02:00
Jakub Onderka
db626cf741
fix: [security] Respect ACL when event edit
2020-08-04 12:21:42 +02:00
mokaddem
94aa68c8b4
chg: Bumped queryversion
2020-07-31 13:30:17 +02:00
mokaddem
b3dbecb318
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0
2020-07-14 16:25:04 +02:00
iglocska
bf4610c947
fix: [security] setting a favourite homepage was not CSRF protected
...
- a user could be lured into setting a MISP home-page outside of the MISP baseurl
- switched the endpoint to be CSRF protection enabled
- as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
2020-07-13 12:19:11 +02:00
mokaddem
f3a9481c61
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0
2020-07-01 16:22:55 +02:00
Raphaël Vinot
688585b323
chg: [PyMISP] Bump
2020-06-22 14:34:49 +02:00
Raphaël Vinot
5a512063a3
chg: [PyMISP] Bump
2020-06-16 14:30:23 +02:00
mokaddem
5c04b9a8c1
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0
2020-05-28 14:06:30 +02:00
Jakub Onderka
8c13330712
fix: [internal] Check if user is logged before checking if he is site admin
2020-05-19 17:11:39 +02:00
Jakub Onderka
df1ed1badf
fix: [internal] Set notifications count and loggedInUserName just for logged users
2020-05-19 17:10:53 +02:00
Raphaël Vinot
b8f0574f71
chg: Bump PyMISP
2020-05-18 12:38:25 +02:00
iglocska
c8e9fa1c76
chg: [roles] allow the creation site admin enabled roles without auth access
2020-05-06 14:53:11 +02:00
iglocska
f278407e91
chg: [VERSION] bump
2020-04-30 11:50:22 +02:00
iglocska
e9c00cb1b4
fix: [otp] pre-auth action list only expanded if otp is enabled
2020-04-29 15:55:22 +02:00
iglocska
6ec8391e46
Merge branch '5726' into 2.4
2020-04-29 15:50:01 +02:00
Andras Iklody
f30959f274
Merge pull request #5561 from JakubOnderka/is_rest_cache
...
chg: [internal] Cache result of AppController::_isRest method
2020-04-28 15:46:24 +02:00
iglocska
03c866fe4e
fix: [registrations] Users can now register using the API without a valid key, affects #5783
2020-04-24 11:39:59 +02:00
iglocska
45e42ca84f
new: [privacy] filter added for the authkeys in the admin section to make giving trainings easier
2020-04-21 08:09:26 +02:00
Golbark
93ba84fd02
Hook into native authentication flow instead of beforefilter
...
which prevents any after-auth bypass and rely on framework
session management.
2020-04-20 12:24:47 +02:00
Golbark
3436bc6ae5
Merge branch '2.4' into email-otp-implementation
...
Conflicts:
app/Model/Server.php
2020-04-20 12:16:25 +02:00
iglocska
078bf123a1
chg: [ACL] added the feed data reload
2020-04-17 14:23:34 +02:00
iglocska
10ab82f830
new: [UI Helper] DataPathCollector helper added
...
- helps the index factory fields retrieve data from the currently processed object based on a set of paths
2020-04-17 14:13:15 +02:00
iglocska
3fa5c3f370
fix: [database] added missing file
2020-04-14 15:17:15 +02:00
mokaddem
dd1be03597
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0
2020-04-09 14:26:48 +02:00
iglocska
4ebc0a7988
new: [inbox] system added
...
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
- request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
- they can accept/discard them individually or en masse
- users will be notified of their credentials automatically
- quick user creation if the user asks for an org that doesn't exist yet
2020-04-07 13:21:01 +02:00
Golbark
d254d04365
Rely on session_id instead of user_id and address minor comments
2020-03-26 02:55:14 -07:00
Golbark
309bbc6814
new: usr: Implementation of email-based OTP
2020-03-25 07:45:09 -07:00
iglocska
d7e3674987
new: [audit] Added user monitoring
...
- site admins can set the monitoring flag on a user if the feature is enabled on the instance
- monitored users will have all requests logged along with POST bodies
- keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation
2020-03-25 11:49:33 +01:00
mokaddem
04dcdebb1f
new: [galaxyCluster] Initial import of Galaxy2.0 codebase - WiP
2020-03-12 10:26:09 +01:00
Raphaël Vinot
8beec4e383
chg: Bump PyMISP
2020-03-10 14:31:31 +01:00
iglocska
f1faa7845f
fix: [dashboard] grid scope fix
2020-03-10 11:34:30 +01:00
mokaddem
431ccc6a04
chg: [response header] Added `X-XSS-Protection` header
...
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
2020-03-06 16:06:35 +01:00
iglocska
a40c227ca4
chg: [querystring] bumped
2020-03-02 23:14:55 +01:00
iglocska
0d4df7c98b
new: [Dashboard] system
...
- Dashboard
- modular similar to restSearch
- build your own widgets
- use a set of visualisation options (more coming!)
- full access to internal functions for queries
- auto discover core and 3rd party widgets
- rearrange / configure widgets for each user individually
- rearrange / resize widgets
- settings can be configured by a site-admin on behalf of others
- modules have a self-explain mode to guide users
- caching mechanism for the modules / org
- set homepage / user
- various other fixes
2020-03-01 18:05:21 +01:00
iglocska
4bfcc3211b
new: [API] object level restSearch added
...
still WiP
2020-02-29 08:57:32 +01:00
iglocska
08e0e9d16d
chg: [version] bump
2020-02-26 16:13:12 +01:00
iglocska
c310b30177
fix: [custom auth] correctly use HTTP_ as the default header namespace
2020-02-23 19:13:48 +01:00