iglocska
dbffebe503
Merge branch '2.4' into CRUD
2020-11-11 11:19:23 +01:00
iglocska
5b256405c0
new: [advanced authkey] system
2020-11-11 10:46:38 +01:00
Jakub Onderka
5a4ba9cbc1
fix: [internal] Properly set login times for custom auth
2020-10-29 17:53:11 +01:00
iglocska
0b6da917d4
new: [advanced authkey] API key copy to the new system added to diagnostics
2020-10-20 08:35:21 +02:00
iglocska
62bbc95472
Merge branch '2.4' into CRUD
2020-10-20 02:01:21 +02:00
iglocska
617db7a337
chg: [user] admin view now loads advanced authkeys when appropriate
2020-10-20 01:48:51 +02:00
Jakub Onderka
461318de19
fix: [UI] Show warning if notification when creating new user could not be send
2020-10-13 12:28:20 +02:00
Golbark
3fb47d1cce
chg: [internal] Using blocklist instead of blacklist
2020-09-01 16:27:36 +02:00
Jakub Onderka
3005ef8f6e
fix: [otp] Allow to send encrypted OTP by mail
2020-08-20 19:58:24 +02:00
mokaddem
fdade41e5e
chg: [users:acceptRegistration] Displays an error message if saved
...
failed
Fix #6134
2020-07-30 09:00:46 +02:00
mokaddem
6321e02e34
chg: [users:resgister] Use the trimmed data instead
2020-06-29 10:18:20 +02:00
mokaddem
89adde7e0b
fix: [user:registration] Report field validations to the user. Fix #6072
...
and #6073
2020-06-29 10:12:22 +02:00
mokaddem
41506cc7e7
fix: [users:change_pw] Return error message when trying to use the same
...
password. Fix #5961
2020-06-03 15:05:09 +02:00
Jakub Onderka
77e34ba41c
fix: [UI] Do not show Good-Bye when using custom logout
...
Becuse without this patch, Good-Bye is show when user successfully log in.
2020-05-21 17:10:28 +02:00
iglocska
cd7d01306d
fix: [registration] acceptRegistration now accepts non User wrapped input
2020-05-06 21:40:04 +02:00
iglocska
9c52ed095a
fix: [users] accepting registration requests can throw a badly mapped exception
...
- changed to 400
2020-05-06 13:46:04 +02:00
iglocska
d996b4093d
fix: [registrations] multi-delete fixed
2020-05-06 11:13:56 +02:00
iglocska
f9cbe42aa8
new: [statistics] added contributing org count
2020-04-30 16:05:15 +02:00
iglocska
6ec8391e46
Merge branch '5726' into 2.4
2020-04-29 15:50:01 +02:00
iglocska
a922bfa6f5
chg: [otp] monor changes
...
- i18n
- function naming convention
2020-04-29 15:49:15 +02:00
Jakub Onderka
79517ab430
fix: Correct flash message when sending e-mail
2020-04-25 23:06:10 +02:00
mokaddem
e5c49e636c
chg: [users:registrations] Catch if no org_id was provided
2020-04-24 12:02:43 +02:00
mokaddem
6bff239740
chg: [user:registration] Added audit log
2020-04-22 10:04:07 +02:00
mokaddem
46a940acb8
chg: [user:acceptRegistration] Added fail message
2020-04-22 09:44:13 +02:00
mokaddem
56f69fb2ea
chg: [user:acceptRegistration] Default to instance's default role if
...
role_id not passed
2020-04-22 09:41:13 +02:00
mokaddem
47be5e75fe
chg: [user:regitration] Accept/Discard registration accept UUID as
...
parameter
2020-04-22 09:19:27 +02:00
mokaddem
86238031cf
fix: [user:registration] Default undefined message to empty string
2020-04-22 08:51:15 +02:00
Golbark
93ba84fd02
Hook into native authentication flow instead of beforefilter
...
which prevents any after-auth bypass and rely on framework
session management.
2020-04-20 12:24:47 +02:00
Golbark
3436bc6ae5
Merge branch '2.4' into email-otp-implementation
...
Conflicts:
app/Model/Server.php
2020-04-20 12:16:25 +02:00
iglocska
48cbfd7536
new: [registration] fall back to the e-mail domain if no org info is provided
...
- also, make the org info optional
2020-04-07 22:46:35 +02:00
iglocska
70e1772bb0
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2020-04-07 22:21:37 +02:00
iglocska
78c1357593
fix: [user registration] reverted bug introduced in previous commit restricting the org choice to the suggested org if there was a match
2020-04-07 22:20:56 +02:00
mokaddem
b3c114a13a
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2020-04-07 14:58:15 +02:00
mokaddem
f7b5eb9628
fix: [user:email] Replaced query parameters by cake's named parameters.
...
Hopefully fix #5745
2020-04-07 14:56:26 +02:00
iglocska
1b65bfb843
fix: [user registration] minor bug fixes
2020-04-07 14:47:25 +02:00
iglocska
3241e95730
fix: [user registration] automatically convert selected orgs to local as described in the tool
2020-04-07 14:27:21 +02:00
iglocska
ad4074c1d6
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2020-04-07 13:23:25 +02:00
iglocska
4ebc0a7988
new: [inbox] system added
...
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
- request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
- they can accept/discard them individually or en masse
- users will be notified of their credentials automatically
- quick user creation if the user asks for an org that doesn't exist yet
2020-04-07 13:21:01 +02:00
iglocska
83328f4e4c
chg: [publish alert] default added to user creation via the API
2020-03-29 08:56:55 +02:00
Golbark
9062881469
Add consistent i18n support for all strings.
2020-03-26 07:18:22 -07:00
Golbark
d254d04365
Rely on session_id instead of user_id and address minor comments
2020-03-26 02:55:14 -07:00
Golbark
309bbc6814
new: usr: Implementation of email-based OTP
2020-03-25 07:45:09 -07:00
iglocska
d7e3674987
new: [audit] Added user monitoring
...
- site admins can set the monitoring flag on a user if the feature is enabled on the instance
- monitored users will have all requests logged along with POST bodies
- keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation
2020-03-25 11:49:33 +01:00
iglocska
e5d775e9c8
fix: [message] user creation shouldn't include the "User notified of new credentials" part of the notification mesage if emailing is disabled
2020-03-19 11:08:09 +01:00
mokaddem
f6c06d8e6b
fix: [user:login] Added support of `RFC822` for older PHP version
2020-03-11 10:48:52 +01:00
mokaddem
2ccf3dab76
fix: [user:resetAuthkey] Allows the function to be called
2020-03-09 09:02:06 +01:00
mokaddem
6fad7028b3
fix: [user:edit] Prevent password change with the current password
...
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
2020-03-06 16:19:12 +01:00
mokaddem
40560b8873
fix: [user:edit] Correctly re-insert form data wipping password
...
information
2020-03-06 16:17:28 +01:00
mokaddem
fc0ed4c9a0
chg: [login] Display last time the user logged in
2020-03-06 16:12:40 +01:00
mokaddem
de80d340cf
fix: [user:resetauthkey] Method can only be accessed via POST request
...
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
2020-03-06 15:58:08 +01:00
iglocska
612897d26f
chg: [clenaup] removed old dashboard
2020-03-02 23:05:08 +01:00
iglocska
0d4df7c98b
new: [Dashboard] system
...
- Dashboard
- modular similar to restSearch
- build your own widgets
- use a set of visualisation options (more coming!)
- full access to internal functions for queries
- auto discover core and 3rd party widgets
- rearrange / configure widgets for each user individually
- rearrange / resize widgets
- settings can be configured by a site-admin on behalf of others
- modules have a self-explain mode to guide users
- caching mechanism for the modules / org
- set homepage / user
- various other fixes
2020-03-01 18:05:21 +01:00
iglocska
8803f47a9e
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2020-02-10 14:33:39 +01:00
iglocska
934c828192
fix: [security] Further fixes to the bruteforce handling
...
- resolved a potential failure of the subsystem when the MySQL and the webserver time settings are diverged
- as reported by Dawid Czarnecki
- several tightenings of the checks to avoid potential foul play
2020-02-10 11:41:54 +01:00
mokaddem
6e66256f7a
Merge branch '2.4' of github.com:MISP/MISP into pr-5210
2020-02-10 11:09:14 +01:00
Andras Iklody
91a045c13f
Merge pull request #5208 from JakubOnderka/patch-34
...
Simplify user profile logging
2019-12-11 19:28:32 +01:00
iglocska
ff333ccb85
fix: [internal] fixed the hacky removal of passwords on returned user objects for /users/edit
...
- this commit gets 1*
2019-11-29 16:12:33 +01:00
iglocska
ca484ae1dc
fix: [API] /users/edit modifications
...
- remove sanitised password when directly posting back a user object
- more graceful error handling if something goes critically wrong
2019-11-29 12:40:18 +01:00
iglocska
be4034d7a2
fix: [user API] users/edit now avoids having to set confirm_password when setting a password via the API
2019-11-29 12:16:27 +01:00
iglocska
e6e28dfc27
fix: [API] Don't strip empty usersettings from users/view
2019-11-26 19:34:37 +01:00
iglocska
0c850c7cdb
fix: [API] users/edit fixed
2019-11-26 19:25:30 +01:00
iglocska
dc1f9fcad9
fix: [internal] fixed weird user massage code
...
- I have no idea what I was thinking there...
2019-11-26 19:19:58 +01:00
iglocska
26459f1b63
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2019-11-26 19:04:34 +01:00
iglocska
958731920c
chg: [API] users/edit refactor
...
- load only what is needed
- handle API requests in a cleaner way
2019-11-26 19:03:53 +01:00
Andras Iklody
76656e8ed4
Merge pull request #5404 from MISP/feature-OrgsStats
...
Added more Organisation statistics
2019-11-26 13:00:13 +01:00
iglocska
8438db4565
fix: [user view] server issues fixed
2019-11-20 16:17:18 +01:00
mokaddem
806f443764
new: [statistics] Added organisation activity over time
2019-11-16 15:40:02 -05:00
mokaddem
a8b5da4be2
chg: [statistics] Added Attribute count
2019-11-16 13:12:37 -05:00
Jakub Onderka
688bab2778
chg: [internal] Simplify UserController::admin_edit
2019-10-11 20:35:27 +02:00
iglocska
b44063e7d1
fix: [internal] missing org object for users/view
2019-10-10 15:13:34 +02:00
iglocska
15b10bbcf7
new: [user settings] Added restrictions for certain settings
...
- based on role permissions
- enforce the checks on set/delete
- add it to the UI elements
- /users/view /admin/users/view now include the user settings in a simplified format
2019-10-10 11:58:26 +02:00
mokaddem
8c4799fb99
chg: [user:me] Added `Role` object in the return value for the rest context
2019-10-07 16:35:22 +02:00
Jakub Onderka
a9f6af9fcb
chg: [user] GPG key fetching by server
2019-09-23 22:09:02 +02:00
Andras Iklody
6b42f089cd
Merge pull request #5129 from JakubOnderka/array-copy-remove
...
chg: [users] Remove unused method UsersController::arrayCopy
2019-09-10 11:32:30 +02:00
Jakub Onderka
1cd2ff5ca6
chg: [users] Remove unused method UsersController::arrayCopy
2019-09-09 23:37:37 +02:00
Jakub Onderka
50a0f564c6
fix: [audit] Correct title in audit log when admin edit user
2019-09-09 19:34:38 +02:00
iglocska
75acd63c46
fix: [security] Fix to a vulnerability related to the server index
...
- along with various support tools
- more information coming soon
2019-09-09 13:00:21 +02:00
iglocska
5916de9d5e
fix: [API] Fixed output of the attribute histogram
...
- no more STIX-ish barf inducing numeric string keys for dictionaries
2019-08-27 10:34:29 +02:00
iglocska
96475f59f6
fix: [admin] Invalid domain restriction check for site admins, fixes #5035
2019-08-22 10:41:30 +02:00
iglocska
ed1e55b76b
fix: [API] Fixed an edge case when the attribute historgram throws a notice error
...
- no idea how to reproduce it, the organisation referenced in an event orgc_id not existing is a pre-condition
- fixes #4880
2019-07-29 16:28:42 +02:00
iglocska
64fafa1913
fix: [api fix] Deletes broken due to invalid boolean
...
- /facepalm
2019-07-10 13:55:33 +02:00
iglocska
ed401d88be
fix: [API] delete http requests properly accepted by some /delete endpoints
2019-07-10 11:57:21 +02:00
mokaddem
f850abcdaa
fix: [galaxyMatrix] Handle case if deprecated galaxy does not exists
2019-06-12 14:12:06 +02:00
mokaddem
52ae153c0e
Merge branch '2.4' of github.com:MISP/MISP into galaxyMatrixImprovements
2019-06-11 15:56:10 +02:00
mokaddem
11a4bdb959
chg: [restSearch:attack] Only expose attack return format to the `event`
...
scope
2019-06-11 15:50:51 +02:00
mokaddem
acef3a0168
chg: [galaxyMatrix:stats] Only take into account occurences of galaxy
...
once per event
2019-06-11 15:09:02 +02:00
mokaddem
fed5556976
fix: [galaxyMatrix:export] Removed multiple bugs providing inconsistent
...
result
2019-06-11 14:13:17 +02:00
iglocska
36b43f1306
fix: [security] Org admins could reset credentials for site admins
...
- org admins have the inherent ability to reset passwords for all of their org's users
- this however could be abused if for some reason the host org of an instance would create org admins
- the org admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them
- the potential for abuse is very circumstancial as it requires the host org to create lower privilege org admins instead of the usual site admins
- only org admins of the same organisation as the site admin could abuse this
- as reported by Raymond Schippers
2019-06-11 11:05:34 +02:00
mokaddem
4fafb1541c
chg: [galaxyMatrix] Transformed query into cakephp model query
2019-05-15 11:55:22 +02:00
mokaddem
0c69e739cc
new: [statistics:galaxyMatrix] Added filtering capabilities
2019-05-15 11:12:09 +02:00
mokaddem
4fbe857f90
chg: [galaxyMatrix] Added sorting by score. Fix #4608
2019-05-13 15:07:38 +02:00
mokaddem
d3013a9252
fix: [stats:galaxyMatrix] No longer trim the end of the cluster name
2019-04-23 08:49:04 +02:00
iglocska
7a1dbe4c1f
fix: [API] role_id is not required when POSTing users if a default role is set on the instance
2019-04-04 13:42:06 +02:00
4ekin
c32d3bce32
fix: Fixed i18n strings in Controllers
2019-04-02 16:57:41 +03:00
mokaddem
d60095112f
Merge branch '2.4' of github.com:MISP/MISP into galaxyMatrixStat
2019-03-15 11:18:34 +01:00
iglocska
7b34e8cacb
fix: [API] resetting the authkey didn't respond with the new key before, making automation difficult.
2019-03-12 22:03:34 +01:00
mokaddem
04798bf7e4
new: [galaxyMatrix] Added possibility to pick a galaxy to view it's
...
statistic.
2019-03-12 15:36:00 +01:00
iglocska
66ad17a1ee
new: [API] exposed change_pw function to the API, fixes #4256
2019-03-02 23:47:13 +01:00
mokaddem
1ed609872c
chg: simplified condition 2
2019-02-15 15:04:07 +01:00
mokaddem
7a2010fb0e
chg: [galaxy_matrix] TEMPORARY - Merge scores of both deprecated and mitre-attack
...
galaxy namespace for the matrix view.
This commit aims to still have correct scores in the galaxy_matrix until the fixMitreTags functions is not live and running
2019-02-15 14:41:55 +01:00
mokaddem
12ed3457e8
chg: [galaxy_matrix] cleanup in variable names to be more generic
2019-02-15 09:24:52 +01:00
mokaddem
a5653e86ea
new: [matrix] Replaced the Att&ck matrix by a generic matrix viewer,
...
allowing custom matrix to be displayed.
Also added the external id to the chosen input.
2019-02-12 13:59:51 +01:00
mokaddem
431529c81c
chg: [attackMatrix] UI: improved color scale - WiP
2019-02-11 17:54:29 +01:00
iglocska
9afd0d8600
fix: [redirect] Correctly redirect to the requested URL after a login, fixes #4005 , fixes #1301
2019-01-28 17:02:04 +01:00
iglocska
2d0259ce13
fix: [CS] coding standards script re-run
2018-11-23 14:11:33 +01:00
mokaddem
2152493dd0
chg: [users/emails] Better comments
2018-11-09 13:42:28 +01:00
mokaddem
6bb31fbb1d
chg: [users/email] Changed behavior of sending mail to avoid code duplication
...
If an additional parameter is passed to the url, it will only shows the result of submitting the form without the submission
2018-11-09 13:38:52 +01:00
mokaddem
296128fe54
fix: [users/emails] submission fix + cleaned code + comments
2018-11-09 12:12:06 +01:00
mokaddem
651861d1d8
new: [users/mails] Added possibility to send a mail to all users of the same organisation
2018-11-09 11:48:39 +01:00
mokaddem
9b44050e1c
new: [users/mails] add confirmation popup before sending mails
2018-11-09 11:23:32 +01:00
iglocska
333cafca76
chg: [statistics] Show % of users with pgp keys
2018-10-30 14:58:49 +01:00
iglocska
3bdcca617e
new: [statistics] Added local org and user/org counts
2018-10-30 14:51:27 +01:00
iglocska
c54538766e
Merge branch '2.4' into feature/api_rework
2018-08-21 13:39:34 +02:00
iglocska
1eded5f3c7
fix: [statistics] Solve the issue with the unfiltered total counters in the user and org statistics
2018-08-21 13:37:47 +02:00
iglocska
12ac58f0e1
fix: [statistics] fixed an issue where the org statistics didn't correctly apply the local filters
...
- both local and external just showed the sum totals instead of the individual pools
2018-08-21 13:34:59 +02:00
iglocska
f675fb8b29
Merge branch '2.4' into feature/api_rework
2018-08-17 14:49:09 +02:00
Sami Mokaddem
212c11290d
fix: [usersStat] allow fetching json of statistics/users
2018-08-13 11:39:25 +00:00
Anthony Vaccaro
1b68005bbe
Add a permission check to the change password page.
...
The 'MISP.disableUserSelfManagement' config variable is checked
when rendering the link to the change password page, but is not checked
when rendering the page itself. This could lead to unauthorised
password changes by users with existing accounts on the MISP
instance.
2018-08-13 15:55:51 +10:00
iglocska
0694263e15
Merge branch '2.4' into feature/api_rework
2018-08-09 16:51:20 +02:00
iglocska
4fa5834cbc
new: [PGP] Added fingerprint to /users/verifyGPG
2018-08-06 17:00:15 +02:00
iglocska
34ba484b06
chg: [cleanup] Removed todos from userscontroller that have become irrelevant
2018-08-04 22:48:19 +02:00
iglocska
a81894f14c
chg: [CS] Changed to PSR-2
...
- to make contributions easier, adopted PSR-2
- used php-cs-fixer to rework the style
- *sniff sniff* Goodbye tab indentation
2018-07-19 11:48:22 +02:00
iglocska
71bb60a702
new: [Statistics] Added a new tab to the statistics showing the user/organisation additions over the past month/year
2018-07-13 12:08:29 +02:00
iglocska
6ffacc1e23
fix: [security] Brute force protection can be bypased with a PUT request
...
- fixes an issue where brute forcing the login would work by using PUT requests
- as reported by Silver Saks from CCDCOE
2018-06-21 15:48:32 +02:00
iglocska
87c152d9f3
fix: Use common code-path for user init via the login page and the CLI
...
- also, be consistent with initial settings
2018-06-20 07:32:52 +02:00
Sami Mokaddem
e3988c73ad
new: [attackMatrix] Also consider attack galaxy at event level in the
...
heatmap
fix: [attackMatrix] Typo in ATT&CK + division by 0 in gradiendTool
2018-06-18 14:51:29 +00:00
Sami Mokaddem
3a27009775
Merge remote-tracking branch 'upstream/2.4' into attack
2018-06-18 12:18:31 +00:00
Sami Mokaddem
929946f055
new: [attackMatrix] added instance UUID in rest response
2018-06-18 12:04:38 +00:00
Sami Mokaddem
8d145086f0
new: [attackMatrix] statistic about attack tags used in the instance
...
chg: [attackMatrix] moved functions in to model and matrix view into elements
2018-06-18 09:58:20 +00:00
iglocska
48feb7b7d2
new: [functionality] Kick user out if the session is expired instead of only doing it on a page load
2018-06-12 16:09:50 +02:00
iglocska
68b8266584
new: New flash message system, fixes #3252
...
- 3 types of flash messages (success, error, warning)
- uses bootstrap's own classes/structure
2018-05-16 19:32:38 +02:00
iglocska
b325a5d2a4
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2018-05-08 07:52:32 +02:00
Sami Mokaddem
680311f68f
chg: [Controllers] sets the ajax variable globally
...
As well as removing useless set in controllers and accessing it instead
of passing through the request.
2018-05-07 14:44:59 +00:00
iglocska
2f8686aec3
fix: Don't redirect users to terms page if no terms page is set
2018-05-06 22:42:21 +02:00
iglocska
41fdf6da8b
new: Allow further role settings
...
- exclude a role from non site admin assignment
- set max memory usage and execution time / role
2018-03-24 21:43:46 +01:00
iglocska
a596d5800f
fix: Run the db update before trying to add users/orgs
2018-02-02 19:52:43 +01:00
iglocska
7772b9c43e
new: Disable the viewing of a full organisation list by normal users
...
- Only site admins and sharing group editors can see organisation lists
- this includes the org index and various statistics
- Keep in mind: Sharing group editors CAN see the full organisation list - otherwise they wouldn't be able to create sharing groups.
- Also, users CAN enumerate organisations that have created ANY data on the instance by looking at the given data
- this includes events, proposals, discussion entries, etc
2018-01-13 16:55:01 +01:00
iglocska
4af2136645
fix: Sanitise the list of fields fetched for the admin user index
...
- as reported by @deralexxx
2018-01-12 11:34:29 +01:00
iglocska
13d4a1d197
chg: Added sane default org_id to users/add API
...
- takes current user's org_id as the default
2017-12-14 16:32:08 +01:00
iglocska
05a89f5e87
Merge branch '2.4' into feature/tag_filter_rework
2017-11-30 22:28:35 +01:00
iglocska
c9b4f8c6ab
fix: Added db changes needed for the user domain restrictions along with restricting the user self edit action
2017-11-28 11:52:01 +01:00
iglocska
69423a8bcf
new: Add restrictions for e-mail addresses to certain domains
...
TODO: tie it into the user edit action
2017-11-27 10:22:37 +01:00
iglocska
7d5890b2fc
fix: Leaking of hashed passwords in the audit logs fixed
...
- Scope was limited due to the audit log access restrictions to site/org admins
2017-11-24 11:55:16 +01:00
iglocska
8794af9118
fix: Expose /users/view/me to the API, fixes #2679
2017-11-23 15:44:38 +01:00
Milan Pikula
3626f3ce67
change behavior of login page to return to original page after authentication
2017-11-22 17:15:51 +01:00
iglocska
67d9cd6a6c
new: Include user action in zmq
2017-11-16 12:15:39 +01:00
iglocska
943f18d6cc
new: push the action for user updates/creations/logins along with the user object to the ZMQ channel
2017-11-16 08:58:53 +01:00
iglocska
3e5b1179c5
fix: Histogram rework
...
- removed junk debug
- fixed group by issue
- better performance
2017-11-08 11:58:19 +01:00
iglocska
68f4833893
new: First version of the zmq reimplementation
2017-10-27 09:10:46 +02:00
iglocska
cfcaf0d410
chg: Made the current password confirmation requirement for any user profile edits optional
...
- default setting is having it off
- incredibly frustrating feature is now only enabled on demand
2017-08-18 09:05:20 +02:00