Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable

2022-02-21 11:17:05 +01:00 · 2022-02-21 11:17:05 +01:00 · 7ea5acb167
parent 20907a45da b67c221476
commit 7ea5acb167
9 changed files with 38 additions and 12 deletions
--- a/src/Controller/AuthKeysController.php
+++ b/src/Controller/AuthKeysController.php
@ -84,7 +84,7 @@ class AuthKeysController extends AppController
            'displayOnSuccess' => 'authkey_display',
            'beforeSave' => function($data) use ($users) {
                if (!in_array($data['user_id'], array_keys($users))) {
-                    return false;
+                    throw new MethodNotAllowedException(__('You are not authorised to do that.'));
                }
                return $data;
            }
--- a/src/Controller/Component/FloodProtectionComponent.php
+++ b/src/Controller/Component/FloodProtectionComponent.php
@ -17,7 +17,14 @@ class FloodProtectionComponent extends Component
    public function initialize(array $config): void
    {
        $ip_source = Configure::check('security.logging.ip_source') ? Configure::read('security.logging.ip_source') : 'REMOTE_ADDR';
        if (!isset($_SERVER[$ip_source])) {
            $ip_source = 'REMOTE_ADDR';
        }
        if (isset($_SERVER[$ip_source])) {
            $this->remote_ip = $_SERVER[$ip_source];
        } else {
            $this->remote_ip = '127.0.0.1';
        }
        $temp = explode(PHP_EOL, $_SERVER[$ip_source]);
        if (count($temp) > 1) {
            $this->remote_ip = $temp[0];
--- a/src/Controller/SharingGroupsController.php
+++ b/src/Controller/SharingGroupsController.php
@ -36,10 +36,17 @@ class SharingGroupsController extends AppController
    public function add()
    {
        $currentUser = $this->ACL->getUser();
        $this->CRUD->add([
            'override' => [
                'user_id' => $this->ACL->getUser()['id']
-            ]
+            ],
            'beforeSave' => function($data) use ($currentUser) {
                if (!$currentUser['role']['perm_admin']) {
                    $data['organisation_id'] = $currentUser['organisation_id'];
                }
                return $data;
            }
        ]);
        $dropdownData = [
            'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@ -166,6 +166,12 @@ class UsersController extends AppController
                    }
                    return $data;
                };
                $params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
                    if (!in_array($data['role_id'], array_keys($validRoles))) {
                        throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
                    }
                    return $data;
                };
            }
        }
        $this->CRUD->edit($id, $params);
@ -311,7 +317,7 @@ class UsersController extends AppController
        if (empty(Configure::read('security.registration.self-registration'))) {
            throw new UnauthorizedException(__('User self-registration is not open.'));
        }
-        if (!empty(Configure::read('security.registration.floodProtection'))) {
+        if (!Configure::check('security.registration.floodProtection') || Configure::read('security.registration.floodProtection')) {
            $this->FloodProtection->check('register');
        }
        if ($this->request->is('post')) {
--- a/src/Lib/default/local_tool_connectors/MispConnector.php
+++ b/src/Lib/default/local_tool_connectors/MispConnector.php
@ -132,9 +132,9 @@ class MispConnector extends CommonConnectorTools
    {
        return $validator
            ->requirePresence('url')
-            ->notEmpty('url', __('An URL must be provided'))
+            ->notEmptyString('url', __('An URL must be provided'))
            ->requirePresence('authkey')
-            ->notEmpty('authkey', __('An Authkey must be provided'))
+            ->notEmptyString('authkey', __('An Authkey must be provided'))
            ->lengthBetween('authkey', [40, 40], __('The authkey must be 40 character long'))
            ->boolean('skip_ssl');
    }
--- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
+++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
@ -8,6 +8,7 @@ require_once(APP . 'Model' . DS . 'Table' . DS . 'SettingProviders' . DS . 'Base
 use App\Settings\SettingsProvider\BaseSettingsProvider;
 use App\Settings\SettingsProvider\SettingValidator;
 use Cake\Core\Configure;
 class CerebrateSettingsProvider extends BaseSettingsProvider
 {
@ -300,8 +301,10 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                        'security.registration.floodProtection' => [
                            'name' => __('Enable registration flood-protection'),
                            'type' => 'boolean',
-                            'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
+                            'description' => (Configure::check('security.logging.ip_source') && Configure::read('security.logging.ip_source') !== 'REMOTE_ADDR') ?
-                            'default' => false,
+                                __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame). WARNING: Be aware that you are not using REMOTE_ADDR (as configured via security.logging.ip_source) - this could lead to an attacker being able to spoof their IP and circumvent the flood protection. Only rely on the client IP if your reverse proxy in front of Cerebrate is properly setting this header.'):
                                __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
                            'default' => true,
                        ],
                    ]
                ],
--- a/templates/element/genericElements/IndexTable/Fields/actions.php
+++ b/templates/element/genericElements/IndexTable/Fields/actions.php
@ -98,7 +98,7 @@
                    );
                }
                $reload_url = !empty($action['reload_url']) ? $action['reload_url'] : $this->Url->build(['action' => 'index']);
-                $action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', $modal_url, $reload_url, $tableRandomValue);
+                $action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', h($modal_url), h($reload_url), h($tableRandomValue));
            }
            echo sprintf(
                '<a href="%s" title="%s" aria-label="%s" %s %s class="btn btn-sm btn-%s table-link-action"><i class="%s"></i></a> ',
--- a/templates/genericTemplates/delete.php
+++ b/templates/genericTemplates/delete.php
@ -18,7 +18,11 @@ $form = $this->element('genericElements/Form/genericForm', [
 ]);
 $formHTML = sprintf('<div class="d-none">%s</div>', $form);
 if (!empty($id)) {
    $bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete {0} #{1}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))), h($id));
 } else {
    $bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete the given {0}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))));
 }
 $bodyHTML = sprintf('%s%s', $formHTML, $bodyMessage);
 echo $this->Bootstrap->modal([
--- a/tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php
+++ b/tests/TestCase/Api/AuthKeys/AddAuthKeyApiTest.php
@ -65,8 +65,7 @@ class AddAuthKeyApiTest extends TestCase
            ]
        );
-        $this->assertResponseCode(404);
+        $this->assertResponseCode(405);
        $this->addWarning('Should return 405 Method Not Allowed instead of 404 Not Found');
        $this->assertDbRecordNotExists('AuthKeys', ['uuid' => $uuid]);
    }
 }