Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable

src/Controller/AuthKeysController.php

@@ -84,7 +84,7 @@ class AuthKeysController extends AppController
             'displayOnSuccess' => 'authkey_display',
             'beforeSave' => function($data) use ($users) {
                 if (!in_array($data['user_id'], array_keys($users))) {
-                    return false;
+                    throw new MethodNotAllowedException(__('You are not authorised to do that.'));
                 }
                 return $data;
             }

src/Controller/Component/FloodProtectionComponent.php

@@ -17,7 +17,14 @@ class FloodProtectionComponent extends Component
     public function initialize(array $config): void
     {
         $ip_source = Configure::check('security.logging.ip_source') ? Configure::read('security.logging.ip_source') : 'REMOTE_ADDR';
-        $this->remote_ip = $_SERVER[$ip_source];
+        if (!isset($_SERVER[$ip_source])) {
+            $ip_source = 'REMOTE_ADDR';
+        }
+        if (isset($_SERVER[$ip_source])) {
+            $this->remote_ip = $_SERVER[$ip_source];
+        } else {
+            $this->remote_ip = '127.0.0.1';
+        }
         $temp = explode(PHP_EOL, $_SERVER[$ip_source]);
         if (count($temp) > 1) {
             $this->remote_ip = $temp[0];

src/Controller/SharingGroupsController.php

@@ -36,10 +36,17 @@ class SharingGroupsController extends AppController
 
     public function add()
     {
+        $currentUser = $this->ACL->getUser();
         $this->CRUD->add([
             'override' => [
                 'user_id' => $this->ACL->getUser()['id']
-            ]
+            ],
+            'beforeSave' => function($data) use ($currentUser) {
+                if (!$currentUser['role']['perm_admin']) {
+                    $data['organisation_id'] = $currentUser['organisation_id'];
+                }
+                return $data;
+            }
         ]);
         $dropdownData = [
             'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())

src/Controller/UsersController.php

@@ -166,6 +166,12 @@ class UsersController extends AppController
                     }
                     return $data;
                 };
+                $params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
+                    if (!in_array($data['role_id'], array_keys($validRoles))) {
+                        throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
+                    }
+                    return $data;
+                };
             }
         }
         $this->CRUD->edit($id, $params);
@@ -311,7 +317,7 @@ class UsersController extends AppController
         if (empty(Configure::read('security.registration.self-registration'))) {
             throw new UnauthorizedException(__('User self-registration is not open.'));
         }
-        if (!empty(Configure::read('security.registration.floodProtection'))) {
+        if (!Configure::check('security.registration.floodProtection') || Configure::read('security.registration.floodProtection')) {
             $this->FloodProtection->check('register');
         }
         if ($this->request->is('post')) {

src/Lib/default/local_tool_connectors/MispConnector.php

@@ -132,9 +132,9 @@ class MispConnector extends CommonConnectorTools
     {
         return $validator
             ->requirePresence('url')
-            ->notEmpty('url', __('An URL must be provided'))
+            ->notEmptyString('url', __('An URL must be provided'))
             ->requirePresence('authkey')
-            ->notEmpty('authkey', __('An Authkey must be provided'))
+            ->notEmptyString('authkey', __('An Authkey must be provided'))
             ->lengthBetween('authkey', [40, 40], __('The authkey must be 40 character long'))
             ->boolean('skip_ssl');
     }

src/Model/Table/SettingProviders/CerebrateSettingsProvider.php

@@ -8,6 +8,7 @@ require_once(APP . 'Model' . DS . 'Table' . DS . 'SettingProviders' . DS . 'Base
 
 use App\Settings\SettingsProvider\BaseSettingsProvider;
 use App\Settings\SettingsProvider\SettingValidator;
+use Cake\Core\Configure;
 
 class CerebrateSettingsProvider extends BaseSettingsProvider
 {
@@ -300,8 +301,10 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                         'security.registration.floodProtection' => [
                             'name' => __('Enable registration flood-protection'),
                             'type' => 'boolean',
-                            'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
-                            'default' => false,
+                            'description' => (Configure::check('security.logging.ip_source') && Configure::read('security.logging.ip_source') !== 'REMOTE_ADDR') ?
+                                __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame). WARNING: Be aware that you are not using REMOTE_ADDR (as configured via security.logging.ip_source) - this could lead to an attacker being able to spoof their IP and circumvent the flood protection. Only rely on the client IP if your reverse proxy in front of Cerebrate is properly setting this header.'):
+                                __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
+                            'default' => true,
                         ],
                     ]
                 ],

templates/element/genericElements/IndexTable/Fields/actions.php

@@ -98,7 +98,7 @@
                     );
                 }
                 $reload_url = !empty($action['reload_url']) ? $action['reload_url'] : $this->Url->build(['action' => 'index']);
-                $action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', $modal_url, $reload_url, $tableRandomValue);
+                $action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', h($modal_url), h($reload_url), h($tableRandomValue));
             }
             echo sprintf(
                 '<a href="%s" title="%s" aria-label="%s" %s %s class="btn btn-sm btn-%s table-link-action"><i class="%s"></i></a> ',

templates/genericTemplates/delete.php

@@ -18,7 +18,11 @@ $form = $this->element('genericElements/Form/genericForm', [
 ]);
 $formHTML = sprintf('<div class="d-none">%s</div>', $form);
 
-$bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete {0} #{1}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))), h($id));
+if (!empty($id)) {
+    $bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete {0} #{1}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))), h($id));
+} else {
+    $bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete the given {0}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))));
+}
 $bodyHTML = sprintf('%s%s', $formHTML, $bodyMessage);
 
 echo $this->Bootstrap->modal([

tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php

@@ -65,8 +65,7 @@ class AddAuthKeyApiTest extends TestCase
             ]
         );
 
-        $this->assertResponseCode(404);
-        $this->addWarning('Should return 405 Method Not Allowed instead of 404 Not Found');
+        $this->assertResponseCode(405);
         $this->assertDbRecordNotExists('AuthKeys', ['uuid' => $uuid]);
     }
 }