Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable

pull/93/head
Sami Mokaddem 2022-02-21 11:17:05 +01:00
commit 7ea5acb167
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
9 changed files with 38 additions and 12 deletions

View File

@ -84,7 +84,7 @@ class AuthKeysController extends AppController
'displayOnSuccess' => 'authkey_display',
'beforeSave' => function($data) use ($users) {
if (!in_array($data['user_id'], array_keys($users))) {
return false;
throw new MethodNotAllowedException(__('You are not authorised to do that.'));
}
return $data;
}

View File

@ -17,7 +17,14 @@ class FloodProtectionComponent extends Component
public function initialize(array $config): void
{
$ip_source = Configure::check('security.logging.ip_source') ? Configure::read('security.logging.ip_source') : 'REMOTE_ADDR';
if (!isset($_SERVER[$ip_source])) {
$ip_source = 'REMOTE_ADDR';
}
if (isset($_SERVER[$ip_source])) {
$this->remote_ip = $_SERVER[$ip_source];
} else {
$this->remote_ip = '127.0.0.1';
}
$temp = explode(PHP_EOL, $_SERVER[$ip_source]);
if (count($temp) > 1) {
$this->remote_ip = $temp[0];

View File

@ -36,10 +36,17 @@ class SharingGroupsController extends AppController
public function add()
{
$currentUser = $this->ACL->getUser();
$this->CRUD->add([
'override' => [
'user_id' => $this->ACL->getUser()['id']
]
],
'beforeSave' => function($data) use ($currentUser) {
if (!$currentUser['role']['perm_admin']) {
$data['organisation_id'] = $currentUser['organisation_id'];
}
return $data;
}
]);
$dropdownData = [
'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())

View File

@ -166,6 +166,12 @@ class UsersController extends AppController
}
return $data;
};
$params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
if (!in_array($data['role_id'], array_keys($validRoles))) {
throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
}
return $data;
};
}
}
$this->CRUD->edit($id, $params);
@ -311,7 +317,7 @@ class UsersController extends AppController
if (empty(Configure::read('security.registration.self-registration'))) {
throw new UnauthorizedException(__('User self-registration is not open.'));
}
if (!empty(Configure::read('security.registration.floodProtection'))) {
if (!Configure::check('security.registration.floodProtection') || Configure::read('security.registration.floodProtection')) {
$this->FloodProtection->check('register');
}
if ($this->request->is('post')) {

View File

@ -132,9 +132,9 @@ class MispConnector extends CommonConnectorTools
{
return $validator
->requirePresence('url')
->notEmpty('url', __('An URL must be provided'))
->notEmptyString('url', __('An URL must be provided'))
->requirePresence('authkey')
->notEmpty('authkey', __('An Authkey must be provided'))
->notEmptyString('authkey', __('An Authkey must be provided'))
->lengthBetween('authkey', [40, 40], __('The authkey must be 40 character long'))
->boolean('skip_ssl');
}

View File

@ -8,6 +8,7 @@ require_once(APP . 'Model' . DS . 'Table' . DS . 'SettingProviders' . DS . 'Base
use App\Settings\SettingsProvider\BaseSettingsProvider;
use App\Settings\SettingsProvider\SettingValidator;
use Cake\Core\Configure;
class CerebrateSettingsProvider extends BaseSettingsProvider
{
@ -300,8 +301,10 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
'security.registration.floodProtection' => [
'name' => __('Enable registration flood-protection'),
'type' => 'boolean',
'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
'default' => false,
'description' => (Configure::check('security.logging.ip_source') && Configure::read('security.logging.ip_source') !== 'REMOTE_ADDR') ?
__('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame). WARNING: Be aware that you are not using REMOTE_ADDR (as configured via security.logging.ip_source) - this could lead to an attacker being able to spoof their IP and circumvent the flood protection. Only rely on the client IP if your reverse proxy in front of Cerebrate is properly setting this header.'):
__('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
'default' => true,
],
]
],

View File

@ -98,7 +98,7 @@
);
}
$reload_url = !empty($action['reload_url']) ? $action['reload_url'] : $this->Url->build(['action' => 'index']);
$action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', $modal_url, $reload_url, $tableRandomValue);
$action['onclick'] = sprintf('UI.submissionModalForIndex(\'%s\', \'%s\', \'%s\')', h($modal_url), h($reload_url), h($tableRandomValue));
}
echo sprintf(
'<a href="%s" title="%s" aria-label="%s" %s %s class="btn btn-sm btn-%s table-link-action"><i class="%s"></i></a> ',

View File

@ -18,7 +18,11 @@ $form = $this->element('genericElements/Form/genericForm', [
]);
$formHTML = sprintf('<div class="d-none">%s</div>', $form);
if (!empty($id)) {
$bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete {0} #{1}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))), h($id));
} else {
$bodyMessage = !empty($deletionText) ? h($deletionText) : __('Are you sure you want to delete the given {0}?', h(Cake\Utility\Inflector::singularize($this->request->getParam('controller'))));
}
$bodyHTML = sprintf('%s%s', $formHTML, $bodyMessage);
echo $this->Bootstrap->modal([

View File

@ -65,8 +65,7 @@ class AddAuthKeyApiTest extends TestCase
]
);
$this->assertResponseCode(404);
$this->addWarning('Should return 405 Method Not Allowed instead of 404 Not Found');
$this->assertResponseCode(405);
$this->assertDbRecordNotExists('AuthKeys', ['uuid' => $uuid]);
}
}