- feature is optional and needs to be enabled in the server settings
- on successful login logs the associated user ID for a given IP (30 day retention)
- also logs the IP for the associated user ID (indefinite retention)
- added two command line tools to query
- Get IPs For User ID: MISP/app/Console/cake Admin UserIP [user_id]
- Get User ID For User IP: MISP/app/Console/cake Admin IPUser [ip]
- new centralised restSearch function in AppController as entry point via all controllers
- new component handling restSearch related support functions, such as parameter mapping
- hollowed out all deprecated export functions on the event/attribute controller
- replaced with a new functionality that remaps them to restSearch
- all functionality should be maintained with all additional advantages introduced with restsearch
- additional cleanup (some unused functions removed)
- send X-Deprecation-Warning via the API
- set new Warning flash messages via the UI
- counting the use of these functionalities / API endpoint and / user
- added a diagnsitic tool to view the outcome of the collection
- sharing of these collections with the MISP-Project will be optionally available in the future
- two modes of operation:
- hard deprecation (functions certainly to be removed, reported to the users via API/UI)
- soft deprecation (gauging interest for the continued use of these functions)
- / role setting
- can be enabled/disabled and if enabled a limit can be set
- limit counter / 15 minutes starting from the first query
- x-headers inform the user about their limit/remaining queries/reset in seconds
There were already two places in AppComponent that implemented the same
functionality. It makes sense to move this to a common function so it
can also be used from Controllers that do not inherit the full
beforeFilter functionality.
Since `__preAuthException` is private and only called from the
beforeFilter method after the variable has been setup we can remove
the explicit init from there.
This makes the beforeFilter function a bit smaller while keeping all the
functionality. It will also help with reusing the setup logic in views
that can not execute all of AppComponent::beforeFilter, like the
LinOTPAuth plugin.
For some authentication workflows it might be desireable to execute the
exact same code without having to call the entire beforeFilter method
from the base class. That way you do not have to work around all the
edge cases without having to reinvent the same code in multiple
locations.
This makes it easier to modify the login redirect behaviour in a unified
way. For now this just uses the default Auth loginAction while setting
the `admin` attribute to `false`. Thus application behaviour should be
unchanged.
- added UUID -> ID lookup function and integrated it across several functions
- fixes#4990
- fixes#4999
- fixes#4993
- fixes#4991
- fixes#4989
- fixes#4987
- cookieTimeout setting fixed
- moved the session massaging into a separate function
- added some translation calls for some of the setting errors involved
- changed the cookie name to MISP-[MISP.uuid] to rely on a unique data-point instead of the URL. This solves issues with multiple MISPs running on the same host via port based virtualhosts sharing sessions
- timeout issues potentially fixed when using the recommended PHP session handler. If the garbage collection is configured in php.ini it could previously purge sessions that based on the session timeout should still be valid
- event view uses the new parametrised system
- massive reduction of weird custom UI stuff to prepare MISP for a move to bootstrap 4
- should fix the dodgy UI issues that @rommelfs was experiencing on his Playmobil laptop
- view the failed/succeeded saves in batch imports, fixes#3866
- fixed a bug that inserted junk into the flash messages, fixes#3863
- fixed a bug that removed all but the last entry in a failed batch import #3865
- just pass /sql:1 to any query via the API to see a dump of all queries
- Response isn't very clean, JSON pushed infront of whatever the output is
- requires debug mode = 2
- authenticate user via URL params if not already authenticated (to support legacy APIs)
- harvest parameters in a standardised way for filtering all export APIs
- for legacy tools that cannot pass headers in HTTP requests for some insane reason
- Needs to be enabled by a site admin - default is that it is disabled
- MISP's diagnostic tool WILL complain if this is ever enabled
- blanket disabling the security component for API requests clashes with explicit disabling of certain security component features in the objects controller causing exceptions
- Organisation merge is now offered to the user by the edit page if a UUID was used to edit an organisation that is already in use
- Merging a local org with 1+ user(s) into an external organisation converts the target organisation into a local one
- Merging a local organisation with a logo into an organisation without one will move the current logo to over
- caveat: this will only happen for organisations already using the new logo naming ([id].png as opposed to [name].png)