cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity
992 Commits
12 Branches
31 Tags
21 MiB
Commit Graph

485 Commits (f6900b0843cbf560eda870d8a5e912f5709246f9)

Author SHA1 Message Date
Sami Mokaddem f6900b0843
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-03-08 16:04:14 +01:00
iglocska 61cda0af33
fix: [minor fixes] with the keycloak integration 2022-02-28 10:27:17 +01:00
iglocska 8a6f0ed751
fix: [settings] invalid setting name fixed 2022-02-28 10:23:23 +01:00
iglocska 5734d74a17
Merge branch 'develop' into main 2022-02-28 08:27:54 +01:00
iglocska 1e6b6a5abc
fix: [settings] added test for keycloak enabled 
- always require one auth method to be enabled
 2022-02-28 08:27:22 +01:00
iglocska 498efcf671
Merge branch 'develop' into main 2022-02-28 08:21:11 +01:00
iglocska 9d04533e14
chg: [users] restrict org admins from creating other org admins 
- temporary solution for a single community, make this optional in the future
 2022-02-25 10:20:25 +01:00
iglocska 4902a3f8a6
new: [password auth] added setting to disable password auth 
- not needed in some cases for keycloak enabled instances
 2022-02-25 00:33:00 +01:00
iglocska 79459838eb
chg: [user add] if no password was set, set a random one 
- can't be used so far as we have no emailing in place
- it allows user creation when username/password mode is disabled
 2022-02-25 00:31:19 +01:00
iglocska 6f6c10670e
new: [CRUD] added beforeMarshal hook 2022-02-25 00:30:50 +01:00
iglocska 3790244ce4
new: [individuals] new finder method to find by alignment 2022-02-24 13:47:08 +01:00
iglocska 8fdb8668c8
fix: [alignments] saving of the alignment was omitted before 2022-02-24 13:46:35 +01:00
iglocska 828946a97f
new: [users] several changes 
- make usernames immutable
- restrict user creation to aligned individuals (org admin only)
- optionally create individual while creating a user
 2022-02-24 13:45:10 +01:00
iglocska b67c221476
fix: [copy pasta fail] left previous assignment in that is now superseeded by the if branch above 2022-02-20 15:07:58 +01:00
iglocska 3af0b0afc5
fix: [misp connector] validations with notEmpty() deprecated, replaced with notEmptyString() 2022-02-20 15:02:07 +01:00
iglocska e2bb58d3c7
fix: [flood protection] default to 127.0.0.1 if no remote_addr is set as we're dealing with a local CLI script 2022-02-20 15:00:15 +01:00
iglocska c005cb7f66
fix: [error code] adding an authkey for a user you are not authorised to modify resulted in a 404 instead of a 405 2022-02-20 14:56:21 +01:00
iglocska b046990153
fix: [flood protection] default to REMOTE_ADDR if the selected default logging IP source header is not populated 2022-02-20 11:49:57 +01:00
iglocska 3745739158
chg: [flood protection] Changed the description of the setting based on the used IP source 
- added a warning about the IP source setting affecting the efficacy of the flood protection in regards to an attacker being potentially able to spoof their IP
- Warn the admin to make sure that the reverse proxy used (the main reason to use the alternate headers in the first place) needs to be configured to correctly overwrite the header

- as reported by Dawid Czarnecki of Zigrin Security
 2022-02-19 01:42:24 +01:00
iglocska 283299bf36
fix: [security] flood protection control enabled by default 
- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-19 01:34:07 +01:00
iglocska 6e67a5b239
fix: [security] Sharing group creation on behalf of other organisation fixed 
- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created

- as reported by Dawid Czarnecki of Zigrin Security
 2022-02-19 01:21:29 +01:00
iglocska b41b0dd712
fix: [security] privilege escalation via user edit fixed 
- org admins could circumvent the role restrictions and elevate themselves to a site admin

- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-19 01:02:49 +01:00
iglocska 2da9d8f7d2
new: [keycloak] log enrollment outcome in the audit log 2022-02-18 11:47:33 +01:00
Sami Mokaddem b01d75aaa6
fix: [helpers:bootstrap] Support of cell variant in table 2022-02-07 13:25:33 +01:00
Sami Mokaddem ad3e89199b
chg: [settingTable] Added value validation before saving the setting 2022-02-07 12:01:07 +01:00
Sami Mokaddem 336dfb091c
chg: [settingTable] Gracefully handle if file not writeable 2022-02-07 11:11:25 +01:00
Sami Mokaddem 14ec995c2b
fix: [userSettings] Perform URI validation for bookmarks 
- As reported by Dawid Czarnecki from Zigrin Security
 2022-02-07 10:48:55 +01:00
iglocska c7b226f844
chg: [flood protection] added cleanup 2022-02-07 02:14:53 +01:00
iglocska d45a4dc499
new: [registration] added optional registration flood protection 
- As reported by Dawid Czarnecki from Zigrin Security
 2022-02-07 02:03:41 +01:00
iglocska e6643365d2
new: [flood protection] behaviour added 
simple expiration system to allow flood protections to be added to any functionality
 2022-02-07 02:01:59 +01:00
iglocska a9c1619bda
new: [Exception] 429 added 2022-02-07 01:59:33 +01:00
iglocska 88f3cc7944
fix: [security] user settings allow enumeration of usernames 
- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-04 00:45:42 +01:00
iglocska a263234917
fix: [security] open endpoints should only be open when enabled 
- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-04 00:36:31 +01:00
iglocska 15190b930e
fix: [security] Sharing group ACL fixes 
- added indirect object reference protection
- added correct ACL functionalities to delete, addOrg, removeOrg

- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-04 00:16:24 +01:00
iglocska 5fbd53883f
fix: [sync] created field rules added 
- should stop issues of SG/Individual downloads from remote brood
 2022-01-31 09:35:33 +01:00
iglocska 788feab011
chg: [Version] bump 2022-01-27 22:12:35 +01:00
iglocska cf67c3d1f0
fix: [roles] setting default should be exclusive 
- added aftersave action to remove default from other roles
 2022-01-27 22:06:26 +01:00
iglocska 1ca0f21b86
chg: [user add] form defaults 
- org will default to own org for site admins
- role will default to the default role (if set)
 2022-01-27 21:54:59 +01:00
iglocska 93d4917953
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-27 21:00:32 +01:00
iglocska c983c6f130
fix: [Keycloak baseurl] remove trailing slashes 2022-01-27 20:59:58 +01:00
iglocska eb5f7aa675
chg: [base settings provider] pass settings by reference for evaluation 
- opens it up for modifications by the hooking functions
 2022-01-27 20:59:20 +01:00
iglocska 7834ab3d62
chg: [settingsTable] Use settings array for the actual saving in saveSetting 
- allows us to modify a value in the processing steps before the value is committed to disk
 2022-01-27 20:57:35 +01:00
Andras Iklody 6443f36650
Merge pull request #86 from righel/add-inter-connection-tests 
Add inter-connection test
 2022-01-27 16:13:35 +01:00
Sami Mokaddem 7de1c14407
chg: [userSettings:add] Adhere to the passed user context 2022-01-27 10:44:47 +01:00
Sami Mokaddem 789bd9926f
chg: [navigation:users] Restored breadcrumb navigation to access user profile settings 2022-01-27 08:41:31 +01:00
Sami Mokaddem 2e7aabf704
fix: [users:toggle] Prevent users to disable admins 2022-01-26 16:10:33 +01:00
Sami Mokaddem fcffad6777
fix: [users:delete] Typo copy paste error 2022-01-26 15:45:57 +01:00
Luciano Righetti d91a362e99 Merge branch 'develop' into add-inter-connection-tests 2022-01-26 15:31:49 +01:00
iglocska 665999b8f4
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-26 15:29:53 +01:00
iglocska 95ecc2bc80
fix: [security] fields not adhered to in CRUD components edit 
- users can circumvent restrictions on editable fields
- can lead to privilege escalation when users edit themselves
 2022-01-26 15:28:10 +01:00