diff --git a/src/Controller/AuthKeysController.php b/src/Controller/AuthKeysController.php
index 9ed43c3..978810c 100644
--- a/src/Controller/AuthKeysController.php
+++ b/src/Controller/AuthKeysController.php
@@ -84,7 +84,7 @@ class AuthKeysController extends AppController
'displayOnSuccess' => 'authkey_display',
'beforeSave' => function($data) use ($users) {
if (!in_array($data['user_id'], array_keys($users))) {
- return false;
+ throw new MethodNotAllowedException(__('You are not authorised to do that.'));
}
return $data;
}
diff --git a/src/Controller/Component/FloodProtectionComponent.php b/src/Controller/Component/FloodProtectionComponent.php
index 6fbd0ec..91668b6 100644
--- a/src/Controller/Component/FloodProtectionComponent.php
+++ b/src/Controller/Component/FloodProtectionComponent.php
@@ -17,7 +17,14 @@ class FloodProtectionComponent extends Component
public function initialize(array $config): void
{
$ip_source = Configure::check('security.logging.ip_source') ? Configure::read('security.logging.ip_source') : 'REMOTE_ADDR';
- $this->remote_ip = $_SERVER[$ip_source];
+ if (!isset($_SERVER[$ip_source])) {
+ $ip_source = 'REMOTE_ADDR';
+ }
+ if (isset($_SERVER[$ip_source])) {
+ $this->remote_ip = $_SERVER[$ip_source];
+ } else {
+ $this->remote_ip = '127.0.0.1';
+ }
$temp = explode(PHP_EOL, $_SERVER[$ip_source]);
if (count($temp) > 1) {
$this->remote_ip = $temp[0];
diff --git a/src/Controller/SharingGroupsController.php b/src/Controller/SharingGroupsController.php
index 313833e..051f53e 100644
--- a/src/Controller/SharingGroupsController.php
+++ b/src/Controller/SharingGroupsController.php
@@ -36,10 +36,17 @@ class SharingGroupsController extends AppController
public function add()
{
+ $currentUser = $this->ACL->getUser();
$this->CRUD->add([
'override' => [
'user_id' => $this->ACL->getUser()['id']
- ]
+ ],
+ 'beforeSave' => function($data) use ($currentUser) {
+ if (!$currentUser['role']['perm_admin']) {
+ $data['organisation_id'] = $currentUser['organisation_id'];
+ }
+ return $data;
+ }
]);
$dropdownData = [
'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())
diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index 3d684a0..272b1ba 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -166,6 +166,12 @@ class UsersController extends AppController
}
return $data;
};
+ $params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
+ if (!in_array($data['role_id'], array_keys($validRoles))) {
+ throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
+ }
+ return $data;
+ };
}
}
$this->CRUD->edit($id, $params);
@@ -311,7 +317,7 @@ class UsersController extends AppController
if (empty(Configure::read('security.registration.self-registration'))) {
throw new UnauthorizedException(__('User self-registration is not open.'));
}
- if (!empty(Configure::read('security.registration.floodProtection'))) {
+ if (!Configure::check('security.registration.floodProtection') || Configure::read('security.registration.floodProtection')) {
$this->FloodProtection->check('register');
}
if ($this->request->is('post')) {
diff --git a/src/Lib/default/local_tool_connectors/MispConnector.php b/src/Lib/default/local_tool_connectors/MispConnector.php
index b6ed490..a5adb59 100644
--- a/src/Lib/default/local_tool_connectors/MispConnector.php
+++ b/src/Lib/default/local_tool_connectors/MispConnector.php
@@ -132,9 +132,9 @@ class MispConnector extends CommonConnectorTools
{
return $validator
->requirePresence('url')
- ->notEmpty('url', __('An URL must be provided'))
+ ->notEmptyString('url', __('An URL must be provided'))
->requirePresence('authkey')
- ->notEmpty('authkey', __('An Authkey must be provided'))
+ ->notEmptyString('authkey', __('An Authkey must be provided'))
->lengthBetween('authkey', [40, 40], __('The authkey must be 40 character long'))
->boolean('skip_ssl');
}
diff --git a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
index 330e589..908d9aa 100644
--- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
+++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
@@ -8,6 +8,7 @@ require_once(APP . 'Model' . DS . 'Table' . DS . 'SettingProviders' . DS . 'Base
use App\Settings\SettingsProvider\BaseSettingsProvider;
use App\Settings\SettingsProvider\SettingValidator;
+use Cake\Core\Configure;
class CerebrateSettingsProvider extends BaseSettingsProvider
{
@@ -300,8 +301,10 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
'security.registration.floodProtection' => [
'name' => __('Enable registration flood-protection'),
'type' => 'boolean',
- 'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
- 'default' => false,
+ 'description' => (Configure::check('security.logging.ip_source') && Configure::read('security.logging.ip_source') !== 'REMOTE_ADDR') ?
+ __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame). WARNING: Be aware that you are not using REMOTE_ADDR (as configured via security.logging.ip_source) - this could lead to an attacker being able to spoof their IP and circumvent the flood protection. Only rely on the client IP if your reverse proxy in front of Cerebrate is properly setting this header.'):
+ __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
+ 'default' => true,
],
]
],
diff --git a/templates/element/genericElements/IndexTable/Fields/actions.php b/templates/element/genericElements/IndexTable/Fields/actions.php
index 543cb2e..379fb58 100644
--- a/templates/element/genericElements/IndexTable/Fields/actions.php
+++ b/templates/element/genericElements/IndexTable/Fields/actions.php
@@ -98,7 +98,7 @@
);
}
$reload_url = !empty($action['reload_url']) ? $action['reload_url'] : $this->Url->build(['action' => 'index']);
- $action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', $modal_url, $reload_url, $tableRandomValue);
+ $action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', h($modal_url), h($reload_url), h($tableRandomValue));
}
echo sprintf(
' ',
diff --git a/templates/genericTemplates/delete.php b/templates/genericTemplates/delete.php
index b652eb0..de45ab6 100644
--- a/templates/genericTemplates/delete.php
+++ b/templates/genericTemplates/delete.php
@@ -18,7 +18,11 @@ $form = $this->element('genericElements/Form/genericForm', [
]);
$formHTML = sprintf('%s
', $form);
-$bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete {0} #{1}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))), h($id));
+if (!empty($id)) {
+ $bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete {0} #{1}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))), h($id));
+} else {
+ $bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete the given {0}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))));
+}
$bodyHTML = sprintf('%s%s', $formHTML, $bodyMessage);
echo $this->Bootstrap->modal([
diff --git a/tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php b/tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php
index 2ede468..afb836f 100644
--- a/tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php
+++ b/tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php
@@ -65,8 +65,7 @@ class AddAuthKeyApiTest extends TestCase
]
);
- $this->assertResponseCode(404);
- $this->addWarning('Should return 405 Method Not Allowed instead of 404 Not Found');
+ $this->assertResponseCode(405);
$this->assertDbRecordNotExists('AuthKeys', ['uuid' => $uuid]);
}
}