79459838eb
chg: [user add] if no password was set, set a random one
...
- can't be used so far as we have no emailing in place
- it allows user creation when username/password mode is disabled
2022-02-25 00:31:19 +01:00
6f6c10670e
new: [CRUD] added beforeMarshal hook
2022-02-25 00:30:50 +01:00
828946a97f
new: [users] several changes
...
- make usernames immutable
- restrict user creation to aligned individuals (org admin only)
- optionally create individual while creating a user
2022-02-24 13:45:10 +01:00
64cb0f920a
chg: [mailinglist] Added ACL conditions on mailing list operations
...
- Site admins have all authorizations
- Org admins can manipulate the list their user own (can be later replaced by organisation_id instead of user_id)
- Other users can see the all lists they are included in
2022-02-23 10:03:12 +01:00
d2c98fc3c5
chg: [Component:ACL] Added entries for mailing list
2022-02-23 10:01:18 +01:00
ba047885c9
chg: [Component:ACL] Added entry for audit log filtering
2022-02-23 10:00:42 +01:00
20d896ad47
chg: [Component:CRUD] Allow to filter out rows from the index with afterFind
...
Filtering can be achieved by returning `false` instead of the row in the `afterFind` function
2022-02-23 09:58:55 +01:00
bf3e31c59a
fix: [Component:CRUD] Typo in merge conflict
2022-02-23 08:18:08 +01:00
bce4c5fde9
chg: [Component:CRUD] Removed comment and init correct variable type
2022-02-21 11:51:05 +01:00
aeac86cb52
chg: [Component:CRUD] Typo
2022-02-21 11:48:41 +01:00
7ea5acb167
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable
2022-02-21 11:17:05 +01:00
b67c221476
fix: [copy pasta fail] left previous assignment in that is now superseeded by the if branch above
2022-02-20 15:07:58 +01:00
e2bb58d3c7
fix: [flood protection] default to 127.0.0.1 if no remote_addr is set as we're dealing with a local CLI script
2022-02-20 15:00:15 +01:00
c005cb7f66
fix: [error code] adding an authkey for a user you are not authorised to modify resulted in a 404 instead of a 405
2022-02-20 14:56:21 +01:00
b046990153
fix: [flood protection] default to REMOTE_ADDR if the selected default logging IP source header is not populated
2022-02-20 11:49:57 +01:00
283299bf36
fix: [security] flood protection control enabled by default
...
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-19 01:34:07 +01:00
6e67a5b239
fix: [security] Sharing group creation on behalf of other organisation fixed
...
- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created
- as reported by Dawid Czarnecki of Zigrin Security
2022-02-19 01:21:29 +01:00
b41b0dd712
fix: [security] privilege escalation via user edit fixed
...
- org admins could circumvent the role restrictions and elevate themselves to a site admin
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-19 01:02:49 +01:00
a77e29fa38
new: [layout:sidebar] Notifications in the sidebar
2022-02-08 17:58:30 +01:00
62ca877f0b
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable
2022-02-08 08:42:25 +01:00
c7b226f844
chg: [flood protection] added cleanup
2022-02-07 02:14:53 +01:00
d45a4dc499
new: [registration] added optional registration flood protection
...
- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 02:03:41 +01:00
e6643365d2
new: [flood protection] behaviour added
...
simple expiration system to allow flood protections to be added to any functionality
2022-02-07 02:01:59 +01:00
88f3cc7944
fix: [security] user settings allow enumeration of usernames
...
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:45:42 +01:00
a263234917
fix: [security] open endpoints should only be open when enabled
...
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:36:31 +01:00
15190b930e
fix: [security] Sharing group ACL fixes
...
- added indirect object reference protection
- added correct ACL functionalities to delete, addOrg, removeOrg
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:16:24 +01:00
cf67c3d1f0
fix: [roles] setting default should be exclusive
...
- added aftersave action to remove default from other roles
2022-01-27 22:06:26 +01:00
1ca0f21b86
chg: [user add] form defaults
...
- org will default to own org for site admins
- role will default to the default role (if set)
2022-01-27 21:54:59 +01:00
6443f36650
Merge pull request #86 from righel/add-inter-connection-tests
...
Add inter-connection test
2022-01-27 16:13:35 +01:00
7de1c14407
chg: [userSettings:add] Adhere to the passed user context
2022-01-27 10:44:47 +01:00
789bd9926f
chg: [navigation:users] Restored breadcrumb navigation to access user profile settings
2022-01-27 08:41:31 +01:00
2e7aabf704
fix: [users:toggle] Prevent users to disable admins
2022-01-26 16:10:33 +01:00
fcffad6777
fix: [users:delete] Typo copy paste error
2022-01-26 15:45:57 +01:00
d91a362e99
Merge branch 'develop' into add-inter-connection-tests
2022-01-26 15:31:49 +01:00
665999b8f4
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop
2022-01-26 15:29:53 +01:00
95ecc2bc80
fix: [security] fields not adhered to in CRUD components edit
...
- users can circumvent restrictions on editable fields
- can lead to privilege escalation when users edit themselves
2022-01-26 15:28:10 +01:00
d05868106d
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop
2022-01-26 14:59:57 +01:00
f695744bd7
fix: [user view] ACL fixed
2022-01-26 14:57:01 +01:00
b7facf226d
chg: [Navigationcomponent] added missing changes from previous commit
2022-01-26 14:55:47 +01:00
74e95855bd
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop
2022-01-26 14:54:03 +01:00
c186c88d5c
chg: [navigation] Breadcrumb generation is user aware
...
- moved the initialisation of the generation to be invoked from the appcontroller's beforefilter, after the user is loaded into the ACL component
- Only show user setting edits when the user is editing themselves
2022-01-26 14:21:27 +01:00
9a0ddef2af
new: [ACL] added canEditUser() function
...
- simple comparison between two users
- checks role + org based permission
2022-01-26 14:16:28 +01:00
54ee91ba1a
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop
2022-01-26 12:11:53 +01:00
f53b458103
fix: [userSettings] Allow admin to edit other user's settings
2022-01-26 12:11:44 +01:00
d18471ba95
fix: failing when request is empty json object
2022-01-25 18:02:41 +01:00
19c81b7c11
fix: [Sharing groups] UUID and owner org shouldn't be editable
2022-01-25 17:09:29 +01:00
acc9c94baa
Merge branch 'main' into develop
2022-01-25 15:59:31 +01:00
55782af52b
fix: [users] add
...
- fixed role selection
2022-01-25 15:58:31 +01:00
44913c5ed7
fix: [users:settings] Allow admin to see account settings of other users
2022-01-25 15:27:34 +01:00
4f8b663b87
chg: [localtTools:connectionRequest] Provide more info on exception
2022-01-25 15:02:30 +01:00
7d227a4387
chg: [inbox:index] Sort messages by created datetime
2022-01-25 15:02:25 +01:00
dc2bfcb6b2
fix: [components:CRUD] Support of controller's paginate public variable
2022-01-25 15:02:16 +01:00
e9f77aff51
Merge branch 'develop' into main
2022-01-25 11:36:06 +01:00
57e2c75352
fix: [users] role based action filtering added
...
- to avoid annoying clickable, but blocked actions for og admins
2022-01-25 11:34:22 +01:00
74df550419
chg: [inbox:collectNotifications] Collect notifications for the logged in user
2022-01-25 11:32:09 +01:00
dd3a1b8a15
chg: [appcontroller] Breadcrumbs and notifications are fetched only if the user is logged in
2022-01-25 11:29:50 +01:00
7535cd2bdf
chg: [localtTools:connectionRequest] Provide more info on exception
2022-01-24 16:12:46 +01:00
6321725fa9
new: [notification] Added initial version of the notification system
2022-01-24 15:13:28 +01:00
932a28288d
new: [CRUD] added some new useful features
...
- afterFind for the edit functions to make last minute decisions on the modification after already having loaded the data to be modified
- moved the field restrictions to be able to pass it to the view
- try/catch for bulk deletions. A single failure in the beforeSave call will no longer block the entire saving process
2022-01-21 13:41:29 +01:00
7c557f6d85
chg: [inbox:index] Sort messages by created datetime
2022-01-21 09:48:53 +01:00
a59f59ba0d
fix: [components:CRUD] Support of controller's paginate public variable
2022-01-21 09:35:55 +01:00
38a9aa9869
chg: [auditlog] Allow filtering and searching the table
2022-01-20 13:55:27 +01:00
420bbb9207
fix: [auditlog] Typo in field name
2022-01-20 13:54:59 +01:00
ec76948ebd
fix: [component:CRUD] Filtering view variables get correctly set
2022-01-20 13:54:17 +01:00
a98c7f8f32
fix: [metaTemplate] Various fixed on meta-templates updates
2022-01-20 12:00:39 +01:00
86946719c7
chg: [component:CRUD] Fixed typo
2022-01-20 11:57:48 +01:00
a60ca95120
chg: [ui:api] Moved API navigation link into admin section and created breadcrumb config
2022-01-20 09:32:39 +01:00
2e0051401f
chg: [appController] Don't generate nav breadcrumbs in API context
2022-01-20 09:31:51 +01:00
324ac1ce40
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into refactor-metatemplates
2022-01-20 09:00:45 +01:00
80cd93da40
Merge pull request #80 from righel/add-integration-tests
...
Add integration tests
2022-01-19 16:25:19 +01:00
d488f01051
fix: [authkey] add fixed
...
- incorrectly potentially filter out valid options when adding a key by a regular user
2022-01-19 14:39:03 +01:00
ee5c723c71
Merge branch 'develop' into add-integration-tests
2022-01-18 18:11:53 +01:00
f75d0829d1
fix: [user edit] fixed for non admins
2022-01-18 17:52:59 +01:00
dbaa2ba7b3
fix: [encryption keys] several fixes
...
- fix the user view to correctly point to the list of related encryption keys
- fix the lookup on the index to be based on owner_model + owner_id combo
- fix the filtering of the dropdown in the encryption key add form to only valid options
2022-01-18 16:56:38 +01:00
afcfe57767
Merge branch 'develop' into add-integration-tests
2022-01-18 16:26:06 +01:00
eae8e62e5e
fix: [CRUD] delete post message fix
...
- correct order of execution for the beforesave command
2022-01-18 16:24:24 +01:00
6e31005d79
Merge branch 'develop' into add-integration-tests
2022-01-18 16:11:23 +01:00
8cb24baf5f
fix: [ACL] tightening for delete functions
...
- implemented beforeSave() function in the CRUD::delete() functionality
- added correct handling for the organisation level encryption keys in the beforeSave constructor
2022-01-18 15:35:55 +01:00
c35d67ebca
fix: [encryption keys] functionality to filter orgs/individuals fixed
...
- actually execute the query rather than just build it
2022-01-18 14:59:41 +01:00
f48c1a5a17
Merge branch 'develop' into add-integration-tests
2022-01-18 14:29:54 +01:00
a29a4ea024
Merge branch 'main' into develop
2022-01-18 00:23:19 +01:00
ec994b05ed
chg: [user] edit restricted to password only for self
2022-01-18 00:20:53 +01:00
b80d778e1a
fix: [encryption keys] tightened ACL across all CRUD functions
2022-01-18 00:17:47 +01:00
8c97c3b3a0
Merge branch 'main' into develop
2022-01-17 17:17:31 +01:00
6d13d4aba0
fix: [authkeys] tighten requirements to add authkeys for other org admins
...
- site admin: can add to all
- org admin: can add to all in org, except site admin
- everyone else: can add to self only
2022-01-17 17:16:03 +01:00
49a3dd1623
chg: [instance] Added support of API response for 2 endpoints
2022-01-17 15:55:55 +01:00
0c9b032536
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop
2022-01-17 15:30:07 +01:00
98e8272810
fix: [ACL] Allow anyone to view encryption keys
2022-01-17 15:29:58 +01:00
ef2827e87a
fix: [userSettings] Various permissions issues
2022-01-17 15:24:30 +01:00
453c838dfe
fix: [placeholder removed] WiP functionality for local_tool->local_tool connections within the same brood temporarily removed
...
- was never fully implemented
2022-01-17 13:15:26 +01:00
1b4c681a88
new: [Outbox] entity added
...
- to inherit the appModel functions
2022-01-17 12:47:48 +01:00
12d7607aae
new: [encryption key] view added
...
- was missing, despite links to it
2022-01-17 09:45:45 +01:00
caf48c9060
fix: [ACL] proper error messages on user edit
...
- don't just silently redirect to the own user editing if the user isn't authorised to modify another user
2022-01-17 09:19:53 +01:00
87723c2100
fix: [ACL] added correct file for previous fix (user edit admin permission check)
2022-01-12 10:32:47 +01:00
204c60f739
fix: [ACL] fixed ACL check on user edit for the admin permission
...
- invalid name used for the lookup (perm_side_admin instead of perm_admin) leading to incorrect downgrading of the permissions
2022-01-12 10:31:06 +01:00
241e760ad2
add: add API menu option
2022-01-10 16:20:22 +01:00
ce1a51cc39
fix: incorrect check
2022-01-10 11:59:23 +01:00
a69608530c
new: add /api openapi spec view with redoc, add faker to fixtures, validate api responses with openapi spec, add /api/v1/ prefix to api routes
2022-01-07 13:45:52 +01:00
f45727704f
fix: deprecation warning
2022-01-05 17:44:24 +01:00
30ec856dc3
fix: [local_tool:batchApiAction] Various UI and backend fixes
2021-12-21 12:36:36 +01:00
3ed5af776a
fix: [local_tool:batchApiAction] Various UI and backend fixes
2021-12-21 12:34:37 +01:00
0dea5ab486
chg: [metaTemplate] Added endpoint to load template from disk by uuid
2021-12-20 14:24:20 +01:00
fa364c2b2f
fix: [metaTemplate] Repaired update_all
2021-12-15 15:33:58 +01:00
02cc0c30a3
chg: [metaTemplate] Major refactoring and documentation - WiP
2021-12-14 15:09:40 +01:00
f7ae58a22d
chg: [component:crud] Renaming the default `all` contextual filter
2021-12-14 15:08:28 +01:00
aa83b1aa37
chg: [metaTemplate] Update system and conflict resolution interfaces - WiP
2021-12-08 11:11:46 +01:00
4c7dc85d0e
fix: [encryptions] fixed adding encryption keys
2021-12-01 15:24:08 +01:00
e408f29a05
chg: [appcontroller] minor changes
...
- getRoleAccess now returns array format
- moved setting of view variables behind a rest check, to avoid additional unused actions for API queries
- current user's role access matrix passed to view via "roleAccess"
2021-12-01 14:24:32 +01:00
fbb1a52724
new: [ACL component] new functionalities
...
- getRoleAccess now returns either URLs or arrays
- array format allows for easy checking of controller + action pairs
2021-12-01 14:22:02 +01:00
819d96e805
new: [metaTemplate] Interface and functions to update meta-templates - WiP
...
Actual update not implemented yet.
2021-12-01 11:01:31 +01:00
d2a88b3a18
chg: [Component:Navigation] Breadcrumbs get loaded before rendering to have access to view var
...
So that it can have access to view variables
2021-12-01 08:25:20 +01:00
392faa60e4
new: [ACL] getRoleAccess endpoint added
...
- prints all valid URLs for the current user's role
2021-11-30 00:00:05 +01:00
c7d40d42c7
fix: [ACL] added missing entries
2021-11-29 23:37:41 +01:00
22be309dc2
fix: [ACL] fix wildcard controller checks failing
2021-11-28 23:42:22 +01:00
7fa0537cfd
fix: [encryption keys] only show valid options when creating keys as a user
2021-11-27 23:51:32 +01:00
cc5c750de8
chg: [audit log] change field renamed to changed
...
- change is a reserved keyword
- this way quoting of field names is no longer needed in the cakePHP settings
2021-11-25 00:57:31 +01:00
aa42e6763a
chg: [metaTemplate] Started implementing new update system - WiP
2021-11-24 09:14:09 +01:00
94c0b171a1
chg: [component:CRUD] Added comment to be fixed later on - WiP
2021-11-24 09:12:39 +01:00
bacb3dc85e
fix: [API] fixed broken API
...
- don't call functions specifically meant for the UI when in an ACL context
- also fixed breaking issues with the logging
2021-11-24 01:50:55 +01:00
22e4a90af0
chg: [ACL] tightened ACL for several controllers
...
- org admins now have access to new functionalities, added ACL for them
- Affected controllers:
- Authkeys, encryptionkeys, users, sharinggroups
- sets defaults/restricts access accordingly
2021-11-24 01:32:05 +01:00
0fe7f4f931
new: [CRUD] added additional features to the CRUD component
...
- conditions passable to add/edit/index/delete
- refactored get() requests internally to finds to accomodate for additional parameters
- delete() now takes a params[] array as a second argument
2021-11-24 01:30:28 +01:00
5483357e1c
chg: [ACL] fix permissions for org admins
...
- also, fix a bug with the simple permissions being ignored
2021-11-24 01:29:39 +01:00
dad310f434
chg: [appcontroller] include user org in loaded user object during authentication
...
- also log username as username rather than name
2021-11-24 01:28:52 +01:00
3c0237f387
fix: [component:CRUD] Regression where entities not supporting metafields couldn't be saved
2021-11-23 14:56:25 +01:00
fd21934641
chg: [sharingGroups] Cleaned useless view variables
2021-11-23 14:55:21 +01:00
ef91cfcee3
chg: [genericElements:index_table] Continuation of stats for current view - WiP
2021-11-17 17:04:39 +01:00
18b78e8eec
fix: [audit log] filtering now uses request_action rather than the renamed action field
2021-11-17 16:04:57 +01:00
7b52d29320
new: [login] log success/failure
2021-11-17 15:49:28 +01:00
bc2e2fa488
new: [open] individualscontroller fix
...
- import badrequest exception
2021-11-17 15:48:49 +01:00
cc04373375
new: [crud component] fixes
...
- add hidden option
- fix afterfind
2021-11-17 15:47:32 +01:00
1f77569344
chg: [auditlog] log api authentication failures / successes
2021-11-17 15:46:32 +01:00
af4f114f2f
chg: [audit logs] tied into side menu
2021-11-17 14:45:20 +01:00
23dc460359
new: [auditlog system] added
...
- port of Jakub Onderka's implementation from MISP
- Still not fully realised, lacking search functionalities
2021-11-17 14:44:07 +01:00
25f0f07251
chg: [genericElements:index_table] Added support of statistic for current view - WiP
2021-11-15 11:51:47 +01:00
509b203591
chg: [instance:home] Added support of both `modified` and `created` in stat panels
2021-11-12 15:40:03 +01:00
24e5a94662
chg: [mailinglist:addIndividual] Removed possiblity to edit individual already in the list
...
This can be confusing and require special handling when saving joinData
2021-11-12 13:49:54 +01:00
2ba3e3ce00
fix: [mailinglist] Edition was not possible in some cases
2021-11-11 15:22:35 +01:00
b51cf2ed59
fix: [Component:CRUD] Pass expected argument
2021-11-11 14:51:51 +01:00
cc0b1ad3b4
chg: [component:CRUD] Added support of metafield in quickfilter feature
2021-11-10 15:28:09 +01:00
d6d592ff8c
new: [genericElement:index_table] Added support of meta_fields searches
2021-11-10 12:07:27 +01:00
a005d0491f
new: [genericElements:index_table] Support of meta_fields in table column
2021-11-10 09:06:39 +01:00
d71f48fc9f
chg: [component:CRUD] Small refactoring to improve re-usability
2021-11-10 09:02:51 +01:00
04ad3be4a6
fix: [component:CRUD] Correctly inspect the redirect key
2021-11-09 09:15:19 +01:00
1feed8ecaf
fix: [component:paramHandler] Correctly handle arrays
...
Also removed duplicated function
2021-11-09 09:12:41 +01:00
452873e3ba
chg: [ui:meta_templates] Slightly improved UI
2021-11-09 09:11:35 +01:00
a0f6c6a7e0
chg: [behavior:meta_field] Better integration in CRUD and tables
2021-11-09 08:59:17 +01:00
f62caa919b
chg: [navigation] Navigation's actions now relies on modal instead of redirecting to the page
2021-11-08 15:56:39 +01:00
d045f1f4d5
chg: [ui] Added support of redirections via Ajax responses
2021-11-08 15:54:37 +01:00
50737543a9
chg: [component:CRUD] Cleanup leftovers comments
2021-11-08 15:03:05 +01:00
94fbd74918
chg: [component:CRUD] Support of validation and re-edition (WiP)
2021-11-08 14:08:47 +01:00
iglocska