#161 Secure access to user settings and report template pages.

TheHive-Project · Mar 28, 2017 · 31a695c · 31a695c
1 parent 3a585cf
commit 31a695c
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 15 deletions.
diff --git a/ui/app/scripts/app.js b/ui/app/scripts/app.js
@@ -3,7 +3,7 @@ angular.module('theHiveServices', []);
 angular.module('theHiveFilters', []);
 angular.module('theHiveDirectives', []);
 
-angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router',
+angular.module('thehive', ['ngAnimate', 'ngMessages', 'ngSanitize', 'ui.bootstrap', 'ui.router',
         'theHiveControllers', 'theHiveServices', 'theHiveFilters',
         'theHiveDirectives', 'yaru22.jsonHuman', 'timer', 'angularMoment', 'ngCsv', 'ngTagsInput', 'btford.markdown',
         'ngResource', 'ui-notification', 'angularjs-dropdown-multiselect', 'base64', 'angular-clipboard',
@@ -52,9 +52,9 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router
                         var deferred = $q.defer();
 
                         AuthenticationSrv.current(function(userData) {
-                            deferred.resolve(userData);
-                        }, function(err) {
-                            deferred.reject(err);
+                            return deferred.resolve(userData);
+                        }, function( /*err, status*/ ) {
+                            return deferred.resolve(null);
                         });
 
                         return deferred.promise;
@@ -67,7 +67,7 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router
             .state('app.main', {
                 url: 'main/{viewId}',
                 params: {
-                    viewId: 'currentcases'
+                    viewId: 'mytasks'
                 },
                 templateUrl: 'views/app.main.html',
                 controller: 'MainPageCtrl'
@@ -91,6 +91,22 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router
                 controller: 'SettingsCtrl',
                 title: 'Personal settings',
                 resolve: {
+                    currentUser: function($q, $state, $timeout, AuthenticationSrv) {
+                        var deferred = $q.defer();
+
+                        AuthenticationSrv.current(function(userData) {
+                            return deferred.resolve(userData);
+                        }, function( /*err, status*/ ) {
+
+                            $timeout(function() {
+                                $state.go('login');
+                            });
+
+                            return deferred.reject();
+                        });
+
+                        return deferred.promise;
+                    },
                     appConfig: function(VersionSrv) {
                         return VersionSrv.get();
                     }
@@ -106,18 +122,20 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router
                 abstract: true,
                 url: 'administration',
                 template: '<ui-view/>',
-                onEnter: function($state, AuthenticationSrv){
+                onEnter: function($state, AuthenticationSrv) {
                     var currentUser = AuthenticationSrv.currentUser;
 
-                    if(!currentUser || !currentUser.roles || _.map(currentUser.roles, function(role) {
-                        return role.toLowerCase();
-                    }).indexOf('admin') === -1) {
-                        if(!$state.is('app.cases')) {
+                    if (!currentUser || !currentUser.roles || _.map(currentUser.roles, function(role) {
+                            return role.toLowerCase();
+                        }).indexOf('admin') === -1) {
+                        if (!$state.is('app.cases')) {
                             $state.go('app.cases');
                         } else {
                             return $state.reload();
                         }
                     }
+
+                    return true;
                 }
             })
             .state('app.administration.users', {

diff --git a/ui/app/scripts/controllers/RootCtrl.js b/ui/app/scripts/controllers/RootCtrl.js
@@ -5,9 +5,14 @@ angular.module('theHiveControllers').controller('RootCtrl',
     function($scope, $uibModal, $location, $state, $base64, AuthenticationSrv, MispSrv, StreamSrv, StreamStatSrv, TemplateSrv, MetricsCacheSrv, AlertSrv, currentUser) {
         'use strict';
 
+        if(!currentUser || !currentUser.id) {
+            $state.go('login');
+            return;
+        }
+
         $scope.querystring = '';
         $scope.view = {
-            data: 'currentcases'
+            data: 'mytasks'
         };
         $scope.mispEnabled = false;
 

diff --git a/ui/app/scripts/controllers/SettingsCtrl.js b/ui/app/scripts/controllers/SettingsCtrl.js
@@ -1,9 +1,15 @@
 (function() {
     'use strict';
     angular.module('theHiveControllers').controller('SettingsCtrl',
-        function($scope, $state, UserSrv, AlertSrv, resizeService, readLocalPicService, UserInfoSrv, appConfig) {
+        function($scope, $state, UserSrv, AlertSrv, resizeService, readLocalPicService, UserInfoSrv, currentUser, appConfig) {
+            $scope.currentUser = currentUser;
             $scope.appConfig = appConfig;
 
+            if(!currentUser || !currentUser.id) {
+                $state.go('login');
+                return;
+            }
+
             $scope.basicData = {
                 username: $scope.currentUser.id,
                 name: $scope.currentUser.name,

diff --git a/ui/app/scripts/controllers/admin/AdminReportTemplatesCtrl.js b/ui/app/scripts/controllers/admin/AdminReportTemplatesCtrl.js
@@ -8,7 +8,7 @@
         .controller('AdminReportTemplateDeleteCtrl', AdminReportTemplateDeleteCtrl);
 
 
-    function AdminReportTemplatesCtrl($q, $uibModal, AnalyzerSrv, ReportTemplateSrv) {
+    function AdminReportTemplatesCtrl($q, $uibModal, AnalyzerSrv, ReportTemplateSrv, AlertSrv) {
         var self = this;
 
         this.templates = [];
@@ -34,6 +34,8 @@
                 self.analyzers = cleared;
 
                 return $q.resolve(self.analyzers);
+            }, function(rejection) {
+                AlertSrv.error('ReportTemplates', rejection.data, rejection.status);
             }).then(function (analyzersMap) {
                 if(_.isEmpty(analyzersMap)) {
                     _.each(_.pluck(self.templates, 'analyzerId'), function(item) {

diff --git a/ui/app/scripts/services/AnalyzerSrv.js b/ui/app/scripts/services/AnalyzerSrv.js
@@ -35,8 +35,8 @@
                             }), 'id');
 
                             deferred.resolve(analyzers);
-                        }, function (/*rejection*/) {
-                            deferred.reject({});
+                        }, function (rejection) {
+                            deferred.reject(rejection);
                         });
 
                     } else {