From 31a695cd5f955874ea5188905151f296761a79c6 Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Tue, 28 Mar 2017 14:45:30 +0200 Subject: [PATCH] #161 Secure access to user settings and report template pages. --- ui/app/scripts/app.js | 38 ++++++++++++++----- ui/app/scripts/controllers/RootCtrl.js | 7 +++- ui/app/scripts/controllers/SettingsCtrl.js | 8 +++- .../admin/AdminReportTemplatesCtrl.js | 4 +- ui/app/scripts/services/AnalyzerSrv.js | 4 +- 5 files changed, 46 insertions(+), 15 deletions(-) diff --git a/ui/app/scripts/app.js b/ui/app/scripts/app.js index ca077c5f2a..091c1c970f 100644 --- a/ui/app/scripts/app.js +++ b/ui/app/scripts/app.js @@ -3,7 +3,7 @@ angular.module('theHiveServices', []); angular.module('theHiveFilters', []); angular.module('theHiveDirectives', []); -angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router', +angular.module('thehive', ['ngAnimate', 'ngMessages', 'ngSanitize', 'ui.bootstrap', 'ui.router', 'theHiveControllers', 'theHiveServices', 'theHiveFilters', 'theHiveDirectives', 'yaru22.jsonHuman', 'timer', 'angularMoment', 'ngCsv', 'ngTagsInput', 'btford.markdown', 'ngResource', 'ui-notification', 'angularjs-dropdown-multiselect', 'base64', 'angular-clipboard', @@ -52,9 +52,9 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router var deferred = $q.defer(); AuthenticationSrv.current(function(userData) { - deferred.resolve(userData); - }, function(err) { - deferred.reject(err); + return deferred.resolve(userData); + }, function( /*err, status*/ ) { + return deferred.resolve(null); }); return deferred.promise; @@ -67,7 +67,7 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router .state('app.main', { url: 'main/{viewId}', params: { - viewId: 'currentcases' + viewId: 'mytasks' }, templateUrl: 'views/app.main.html', controller: 'MainPageCtrl' @@ -91,6 +91,22 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router controller: 'SettingsCtrl', title: 'Personal settings', resolve: { + currentUser: function($q, $state, $timeout, AuthenticationSrv) { + var deferred = $q.defer(); + + AuthenticationSrv.current(function(userData) { + return deferred.resolve(userData); + }, function( /*err, status*/ ) { + + $timeout(function() { + $state.go('login'); + }); + + return deferred.reject(); + }); + + return deferred.promise; + }, appConfig: function(VersionSrv) { return VersionSrv.get(); } @@ -106,18 +122,20 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ui.bootstrap', 'ui.router abstract: true, url: 'administration', template: '', - onEnter: function($state, AuthenticationSrv){ + onEnter: function($state, AuthenticationSrv) { var currentUser = AuthenticationSrv.currentUser; - if(!currentUser || !currentUser.roles || _.map(currentUser.roles, function(role) { - return role.toLowerCase(); - }).indexOf('admin') === -1) { - if(!$state.is('app.cases')) { + if (!currentUser || !currentUser.roles || _.map(currentUser.roles, function(role) { + return role.toLowerCase(); + }).indexOf('admin') === -1) { + if (!$state.is('app.cases')) { $state.go('app.cases'); } else { return $state.reload(); } } + + return true; } }) .state('app.administration.users', { diff --git a/ui/app/scripts/controllers/RootCtrl.js b/ui/app/scripts/controllers/RootCtrl.js index cb7acb9f0b..c7689fed37 100644 --- a/ui/app/scripts/controllers/RootCtrl.js +++ b/ui/app/scripts/controllers/RootCtrl.js @@ -5,9 +5,14 @@ angular.module('theHiveControllers').controller('RootCtrl', function($scope, $uibModal, $location, $state, $base64, AuthenticationSrv, MispSrv, StreamSrv, StreamStatSrv, TemplateSrv, MetricsCacheSrv, AlertSrv, currentUser) { 'use strict'; + if(!currentUser || !currentUser.id) { + $state.go('login'); + return; + } + $scope.querystring = ''; $scope.view = { - data: 'currentcases' + data: 'mytasks' }; $scope.mispEnabled = false; diff --git a/ui/app/scripts/controllers/SettingsCtrl.js b/ui/app/scripts/controllers/SettingsCtrl.js index 1492d46fb1..c38686b868 100644 --- a/ui/app/scripts/controllers/SettingsCtrl.js +++ b/ui/app/scripts/controllers/SettingsCtrl.js @@ -1,9 +1,15 @@ (function() { 'use strict'; angular.module('theHiveControllers').controller('SettingsCtrl', - function($scope, $state, UserSrv, AlertSrv, resizeService, readLocalPicService, UserInfoSrv, appConfig) { + function($scope, $state, UserSrv, AlertSrv, resizeService, readLocalPicService, UserInfoSrv, currentUser, appConfig) { + $scope.currentUser = currentUser; $scope.appConfig = appConfig; + if(!currentUser || !currentUser.id) { + $state.go('login'); + return; + } + $scope.basicData = { username: $scope.currentUser.id, name: $scope.currentUser.name, diff --git a/ui/app/scripts/controllers/admin/AdminReportTemplatesCtrl.js b/ui/app/scripts/controllers/admin/AdminReportTemplatesCtrl.js index 2a81537514..8206c5ccce 100644 --- a/ui/app/scripts/controllers/admin/AdminReportTemplatesCtrl.js +++ b/ui/app/scripts/controllers/admin/AdminReportTemplatesCtrl.js @@ -8,7 +8,7 @@ .controller('AdminReportTemplateDeleteCtrl', AdminReportTemplateDeleteCtrl); - function AdminReportTemplatesCtrl($q, $uibModal, AnalyzerSrv, ReportTemplateSrv) { + function AdminReportTemplatesCtrl($q, $uibModal, AnalyzerSrv, ReportTemplateSrv, AlertSrv) { var self = this; this.templates = []; @@ -34,6 +34,8 @@ self.analyzers = cleared; return $q.resolve(self.analyzers); + }, function(rejection) { + AlertSrv.error('ReportTemplates', rejection.data, rejection.status); }).then(function (analyzersMap) { if(_.isEmpty(analyzersMap)) { _.each(_.pluck(self.templates, 'analyzerId'), function(item) { diff --git a/ui/app/scripts/services/AnalyzerSrv.js b/ui/app/scripts/services/AnalyzerSrv.js index 31c9954b1d..0b9405c439 100644 --- a/ui/app/scripts/services/AnalyzerSrv.js +++ b/ui/app/scripts/services/AnalyzerSrv.js @@ -35,8 +35,8 @@ }), 'id'); deferred.resolve(analyzers); - }, function (/*rejection*/) { - deferred.reject({}); + }, function (rejection) { + deferred.reject(rejection); }); } else {