- fix #379 Internal API permission issues

14 files changed, 77 insertions, 70 deletions

diff --git a/TODO b/TODO
index 15658430b5..5bb42a6168 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,6 @@
 update mechanism? port modification to TIMESTAMP fields in site/user
+error message ugly in IE, wrong in chrome
+make sure deployement don't include logger in file/db/etc
 
 Bugs
 - google chrome/safari bug with calendar + language dropdown
diff --git a/core/API/Request.php b/core/API/Request.php
index 704218fddb..09c96a2de1 100644
--- a/core/API/Request.php
+++ b/core/API/Request.php
@@ -58,8 +58,15 @@ class Piwik_API_Request
 			$request = trim($request);
 			$request = str_replace(array("\n","\t"),'', $request);
 			parse_str($request, $requestArray);
-				
-			$requestArray = array_merge( $_REQUEST, $requestArray);
+
+			// if a token_auth is specified in the API request, we load the right permissions
+			if(isset($requestArray['token_auth']))
+			{
+				Piwik_PostEvent('API.Request.authenticate', $requestArray['token_auth']);
+				Zend_Registry::get('access')->loadAccess();
+			}
+						
+			$requestArray = array_merge($_REQUEST, $requestArray);
 		}
 		
 		foreach($requestArray as &$element)
@@ -92,7 +99,6 @@ class Piwik_API_Request
 		$response = new Piwik_API_ResponseBuilder($this->request, $outputFormat);
 		
 		try {
-		
 			// read parameters
 			$moduleMethod = Piwik_Common::getRequestVar('method', null, null, $this->request);
 			
@@ -102,11 +108,11 @@ class Piwik_API_Request
 			{
 				throw new Exception_PluginDeactivated($module);
 			}
+			$className = "Piwik_" . $module . "_API";
+
 			// call the method via the API_Proxy class
 			$api = Piwik_Api_Proxy::getInstance();
 			$api->registerClass($module);
-			
-			$className = "Piwik_" . $module . "_API";
 
 			// check method exists
 			$api->checkMethodExists($className, $method);
@@ -121,7 +127,6 @@ class Piwik_API_Request
 			$returnedValue = call_user_func_array( array( $api->$module, $method), $finalParameters );
 			
 			$toReturn = $response->getResponse($returnedValue);
-			
 		} catch(Exception $e ) {
 			return $response->getResponseException( $e );
 		}
diff --git a/core/Access.php b/core/Access.php
index fe8bd202fc..f6251ec2a1 100644
--- a/core/Access.php
+++ b/core/Access.php
@@ -178,7 +178,7 @@ class Piwik_Access
 	
 	/**
 	 * Returns the current user login
-	 * @return string
+	 * @return string|null
 	 */
 	public function getLogin()
 	{
@@ -187,7 +187,7 @@ class Piwik_Access
 
 	/**
 	 * Returns the token_auth used to authenticate this user in the API
-	 * @return string  
+	 * @return string|null
 	 */
 	public function getTokenAuth()
 	{
diff --git a/core/Controller.php b/core/Controller.php
index dbc21a418c..432a9e46c1 100644
--- a/core/Controller.php
+++ b/core/Controller.php
@@ -264,14 +264,16 @@ abstract class Piwik_Controller
 		}
 		else
 		{
-			if(($currentLogin = Piwik::getCurrentUserLogin()) != 'anonymous')
+			$currentLogin = Piwik::getCurrentUserLogin();
+			if(!empty($currentLogin)
+				&& $currentLogin != 'anonymous')
 			{
 				Piwik_ExitWithMessage( sprintf(Piwik_Translate('CoreHome_NoPrivileges'),$currentLogin).
 				"<br /><br />&nbsp;&nbsp;&nbsp;<b><a href='?module=Login&amp;action=logout'>&rsaquo; ".Piwik_Translate('General_Logout')."</a></b><br />");
 			}
 			else
 			{
-				Piwik_FrontController::dispatch('Login');
+				Piwik_FrontController::dispatch('Login', false);
 			}
 		}
 		exit;
diff --git a/core/Tracker.php b/core/Tracker.php
index 225d7e2234..f0df3d2fcc 100644
--- a/core/Tracker.php
+++ b/core/Tracker.php
@@ -249,7 +249,7 @@ class Piwik_Tracker
 		}
 	}
 	
-	private function handleDownload()
+	private function handleDownloadRedirect()
 	{
 		$downloadVariableName = Piwik_Tracker_Config::getInstance()->Tracker['download_url_var_name'];
 		$urlDownload = Piwik_Common::getRequestVar( $downloadVariableName, '', 'string');
diff --git a/core/ViewDataTable.php b/core/ViewDataTable.php
index d367097278..7f95c4b544 100644
--- a/core/ViewDataTable.php
+++ b/core/ViewDataTable.php
@@ -348,9 +348,7 @@ abstract class Piwik_ViewDataTable
 		// we setup the method and format variable
 		// - we request the method to call to get this specific DataTable
 		// - the format = original specifies that we want to get the original DataTable structure itself, not rendered
-		$requestString = 'method='.$this->moduleNameAndMethod
-						.'&format=original'
-					;
+		$requestString = 'method='.$this->moduleNameAndMethod.'&format=original';
 		if( $this->recursiveDataTableLoad )
 		{
 			$requestString .= '&expanded=1';
diff --git a/misc/api_internal_call.php b/misc/api_internal_call.php
index 346b09ba93..9ea1083e8d 100644
--- a/misc/api_internal_call.php
+++ b/misc/api_internal_call.php
@@ -4,14 +4,12 @@ define('ENABLE_DISPATCH', false);
 require_once PIWIK_INCLUDE_PATH . "/index.php";
 require_once PIWIK_INCLUDE_PATH . "/core/API/Request.php";
 
-
 Piwik_FrontController::getInstance()->init();
 
 // We call the API from a php code
 // it will check that you have the necessary rights
 // - either you are loggued in piwik and have a cookie in your browser
-// - or you will have to add the token_auth=xxx to the request string to authenticate
-//   beware that the token_auth changes every time you change your password
+// - or you replace the token_auth=xxx to the request string to authenticate
 $request = new Piwik_API_Request('
 			method=UserSettings.getResolution
 			&idSite=1
@@ -19,6 +17,7 @@ $request = new Piwik_API_Request('
 			&period=week
 			&format=XML
 			&filter_limit=3
+			&token_auth=anonymous
 ');
 $result = $request->process();
 echo $result;
diff --git a/plugins/API/Controller.php b/plugins/API/Controller.php
index dc17e8ce56..b0545ba281 100644
--- a/plugins/API/Controller.php
+++ b/plugins/API/Controller.php
@@ -20,9 +20,24 @@ class Piwik_API_Controller extends Piwik_Controller
 {
 	function index()
 	{
-		$request = new Piwik_API_Request();
+		$request = new Piwik_API_Request('token_auth='.Piwik_Common::getRequestVar('token_auth', 'anonymous', 'string'));
 		echo $request->process();
 	}
+
+	public function listAllMethods()
+	{
+		$this->init();
+		echo Piwik_API_Proxy::getInstance()->getAllInterfaceString( $outputExampleUrls = true, $prefixUrls = Piwik_Common::getRequestVar('prefixUrl', '') );
+	}
+	
+	public function listAllAPI()
+	{
+		$view = new Piwik_View("API/templates/listAllAPI.tpl");
+		$this->setGeneralVariablesView($view);
+		$view->countLoadedAPI = $this->init();
+		$view->list_api_methods_with_links = Piwik_API_Proxy::getInstance()->getAllInterfaceString();
+		echo $view->render();
+	}
 	
 	protected function init()
 	{
@@ -43,20 +58,6 @@ class Piwik_API_Controller extends Piwik_Controller
 		return $loaded;
 	}
 	
-	function listAllMethods()
-	{
-		$this->init();
-		echo Piwik_API_Proxy::getInstance()->getAllInterfaceString( $outputExampleUrls = true, $prefixUrls = Piwik_Common::getRequestVar('prefixUrl', '') );
-	}
-	
-	function listAllAPI()
-	{
-		$view = new Piwik_View("API/templates/listAllAPI.tpl");
-		$this->setGeneralVariablesView($view);
-		$view->countLoadedAPI = $this->init();
-		$view->list_api_methods_with_links = Piwik_API_Proxy::getInstance()->getAllInterfaceString();
-		echo $view->render();
-	}
 	
 }
 
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php
index 8ec02e4776..fbee6a38e0 100644
--- a/plugins/Login/Controller.php
+++ b/plugins/Login/Controller.php
@@ -30,7 +30,7 @@ class Piwik_Login_Controller extends Piwik_Controller
 
 		// get url from POSTed form or GET parameter (getting back from password remind form)
 		$urlToRedirect = Piwik_Common::getRequestVar('form_url', htmlspecialchars(Piwik_Url::getCurrentUrl()), 'string');
-
+		$urlToRedirect = htmlspecialchars_decode($urlToRedirect);
 		if($form->validate())
 		{
 			$login = $form->getSubmitValue('form_login');
@@ -71,9 +71,10 @@ class Piwik_Login_Controller extends Piwik_Controller
 			$password = md5($password);
 		}
 		$tokenAuth = Piwik_UsersManager_API::getTokenAuth($login, $password);
-		Piwik_Login::prepareAuthObject($login, $tokenAuth);
 		
 		$auth = Zend_Registry::get('auth');
+		$auth->setLogin($login);
+		$auth->setTokenAuth($tokenAuth);
 		$authResult = $auth->authenticate();
 		if($authResult->isValid())
 		{
diff --git a/plugins/Login/Form.php b/plugins/Login/Form.php
index 32932851df..574ca476f2 100644
--- a/plugins/Login/Form.php
+++ b/plugins/Login/Form.php
@@ -34,14 +34,12 @@ class Piwik_Login_Form extends Piwik_Form
 		{
 			$urlToGoAfter = Piwik_Url::getReferer();
 		}
-		
 		$formElements = array(
 			array('text', 'form_login'),
 			array('password', 'form_password'),
-			array('hidden', 'form_url', $urlToGoAfter),
+			array('hidden', 'form_url', $urlToGoAfter)
 		);
 		$this->addElements( $formElements );
-		
 		$formRules = array(
 			array('form_login', sprintf(Piwik_Translate('General_Required'), Piwik_Translate('Login_Login')), 'required'),
 			array('form_password', sprintf(Piwik_Translate('General_Required'), Piwik_Translate('Login_Password')), 'required'),
diff --git a/plugins/Login/Login.php b/plugins/Login/Login.php
index d5fdbdd747..91cb94d52a 100644
--- a/plugins/Login/Login.php
+++ b/plugins/Login/Login.php
@@ -35,6 +35,7 @@ class Piwik_Login extends Piwik_Plugin
 		$hooks = array(
 			'FrontController.initAuthenticationObject'	=> 'initAuthenticationObject',
 			'FrontController.NoAccessException'		=> 'noAccess',
+			'API.Request.authenticate' => 'ApiRequestAuthenticate',
 		);
 		return $hooks;
 	}
@@ -48,39 +49,35 @@ class Piwik_Login extends Piwik_Plugin
 		$controller->login($exceptionMessage);
 	}
 	
+	function ApiRequestAuthenticate($notification)
+	{
+		$tokenAuth = $notification->getNotificationObject();
+		Zend_Registry::get('auth')->setTokenAuth($tokenAuth);
+	}
+	
 	function initAuthenticationObject($notification)
 	{
-		$authAdapter = new Piwik_Login_Auth();
-     	Zend_Registry::set('auth', $authAdapter);
+		$auth = new Piwik_Login_Auth();
+     	Zend_Registry::set('auth', $auth);
 		
-     	if(Piwik::getModule() === 'API' && Piwik::getAction() != 'listAllAPI')
+     	$action = Piwik::getAction();
+     	if(Piwik::getModule() === 'API' 
+     		&& (empty($action) || $action == 'index'))
      	{
-			$tokenAuthAPIInUrl = Piwik_Common::getRequestVar('token_auth', 'anonymous', 'string');
-			if( !empty($tokenAuthAPIInUrl))
-			{
-				$authAdapter->setTokenAuth($tokenAuthAPIInUrl);
-			}
+     		return;
      	}
-		else
+     		
+		$authCookieName = 'piwik-auth';
+		$authCookieExpiry = time() + 3600;
+		$authCookie = new Piwik_Cookie($authCookieName, $authCookieExpiry);
+		$defaultLogin = 'anonymous';
+		$defaultTokenAuth = 'anonymous';
+		if($authCookie->isCookieFound())
 		{
-			$authCookieName = 'piwik-auth';
-			$authCookieExpiry = time() + 3600;
-			$authCookie = new Piwik_Cookie($authCookieName, $authCookieExpiry);
-			$defaultLogin = 'anonymous';
-			$defaultTokenAuth = 'anonymous';
-			if($authCookie->isCookieFound())
-			{
-				$defaultLogin = $authCookie->get('login');
-				$defaultTokenAuth = $authCookie->get('token_auth');
-			}
-			self::prepareAuthObject($defaultLogin, $defaultTokenAuth);
+			$defaultLogin = $authCookie->get('login');
+			$defaultTokenAuth = $authCookie->get('token_auth');
 		}
-	}
-	
-	static function prepareAuthObject( $login, $tokenAuth )
-	{		
-		$auth = Zend_Registry::get('auth');
-		$auth->setLogin($login);
-		$auth->setTokenAuth($tokenAuth);
+		$auth->setLogin($defaultLogin);
+		$auth->setTokenAuth($defaultTokenAuth);
 	}
 }
diff --git a/plugins/Referers/Controller.php b/plugins/Referers/Controller.php
index 37bcfbdc39..5051a00a35 100644
--- a/plugins/Referers/Controller.php
+++ b/plugins/Referers/Controller.php
@@ -236,7 +236,9 @@ class Piwik_Referers_Controller extends Piwik_Controller
 		// we disable the queued filters because here we want to get the visits coming from search engines
 		// if the filters were applied we would have to look up for a label looking like "Search Engines" 
 		// which is not good when we have translations
-		$requestString = 'method='."Referers.getRefererType".'&format=original'.'&disable_queued_filters=1';
+		$requestString = "method=Referers.getRefererType
+						&format=original
+						&disable_queued_filters=1";
 		$request = new Piwik_API_Request($requestString);
 		return $request->process();
 	}
diff --git a/plugins/VisitFrequency/Controller.php b/plugins/VisitFrequency/Controller.php
index 1864eea059..c3ce1a01bb 100644
--- a/plugins/VisitFrequency/Controller.php
+++ b/plugins/VisitFrequency/Controller.php
@@ -37,7 +37,8 @@ class Piwik_VisitFrequency_Controller extends Piwik_Controller
 
 	protected function getSummary()
 	{		
-		$requestString = 'method='."VisitFrequency.getSummary".'&format=original';
+		$requestString = "method=VisitFrequency.getSummary
+							&format=original";
 		$request = new Piwik_API_Request($requestString);
 		return $request->process();
 	}
diff --git a/plugins/VisitsSummary/Controller.php b/plugins/VisitsSummary/Controller.php
index 3574f5fec6..af389c2470 100644
--- a/plugins/VisitsSummary/Controller.php
+++ b/plugins/VisitsSummary/Controller.php
@@ -40,10 +40,11 @@ class Piwik_VisitsSummary_Controller extends Piwik_Controller
 
 	static public function getVisitsSummary()
 	{
-		$requestString = 'method=VisitsSummary.get&format=original'.
-			// we disable filters for example "search for pattern", in the case this method is called 
-			// by a method that already calls the API with some generic filters applied 
-			'&disable_generic_filters=true'; 
+		$requestString = "method=VisitsSummary.get
+							&format=original".
+							// we disable filters for example "search for pattern", in the case this method is called 
+							// by a method that already calls the API with some generic filters applied 
+							"&disable_generic_filters=true"; 
 		$request = new Piwik_API_Request($requestString);
 		return $request->process();
 	}