Skip to content

Commit 92888b1

Browse files
committed
fix: [security] new audit logs lack of ACL controls
- added proper ACL handling to the new audit logs - as reported by fukusuket(Fukusuke Takahashi)
1 parent e5809fd commit 92888b1

File tree

1 file changed

+20
-4
lines changed

1 file changed

+20
-4
lines changed

Diff for: app/Controller/AuditLogsController.php

+20-4
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,21 @@ public function __construct($request = null, $response = null)
9191
];
9292
}
9393

94+
private function __applyAuditACL(array $user)
95+
{
96+
$acl = [];
97+
if (empty($user['Role']['perm_site_admin'])) {
98+
if (!empty($user['Role']['perm_admin'])) {
99+
// ORG admins can see their own org info
100+
$acl = ['AuditLog.org_id' => $user['org_id']];
101+
} else {
102+
// users can see their own info
103+
$acl = ['AuditLog.user_id' => $user['id']];
104+
}
105+
}
106+
return $acl;
107+
}
108+
94109
public function admin_index()
95110
{
96111
$this->paginate['fields'][] = 'ip';
@@ -119,6 +134,10 @@ public function admin_index()
119134
]);
120135

121136
$this->paginate['conditions'] = $this->__searchConditions($params);
137+
$acl = $this->__applyAuditACL($this->Auth->user());
138+
if ($acl) {
139+
$this->paginate['conditions']['AND'][] = $acl;
140+
}
122141
$list = $this->paginate();
123142

124143
if ($this->_isRest()) {
@@ -156,7 +175,6 @@ public function eventIndex($eventId, $org = null)
156175
if (empty($event)) {
157176
throw new NotFoundException('Invalid event.');
158177
}
159-
160178
$this->paginate['conditions'] = $this->__createEventIndexConditions($event);
161179
$this->set('passedArgsArray', ['eventId' => $eventId, 'org' => $org]);
162180

@@ -233,6 +251,7 @@ public function returnDates($org = 'all')
233251
*/
234252
private function __searchConditions(array $params)
235253
{
254+
$conditions = [];
236255
$qbRules = [];
237256
foreach ($params as $key => $value) {
238257
if ($key === 'model' && strpos($value, ':') !== false) {
@@ -263,7 +282,6 @@ private function __searchConditions(array $params)
263282
}
264283
$this->set('qbRules', $qbRules);
265284

266-
$conditions = [];
267285
if (isset($params['user'])) {
268286
if (strtoupper($params['user']) === 'SYSTEM') {
269287
$conditions['AuditLog.user_id'] = 0;
@@ -351,7 +369,6 @@ private function __createEventIndexConditions(array $event)
351369
// Site admins and event owners can see all changes
352370
return ['event_id' => $event['Event']['id']];
353371
}
354-
355372
$event = $this->AuditLog->Event->fetchEvent($this->Auth->user(), [
356373
'eventid' => $event['Event']['id'],
357374
'sgReferenceOnly' => 1,
@@ -361,7 +378,6 @@ private function __createEventIndexConditions(array $event)
361378
'includeEventCorrelations' => false,
362379
'excludeGalaxy' => true,
363380
])[0];
364-
365381
$attributeIds = [];
366382
$objectIds = [];
367383
$proposalIds = array_column($event['ShadowAttribute'], 'id');

0 commit comments

Comments
 (0)