diff options
author | matt <matt@59fd770c-687e-43c8-a1e3-f5a4ff64c105> | 2008-10-29 20:19:06 +0300 |
---|---|---|
committer | matt <matt@59fd770c-687e-43c8-a1e3-f5a4ff64c105> | 2008-10-29 20:19:06 +0300 |
commit | ae5eadd30a583c5d85db32e3b5e2bfae78bd85a3 (patch) | |
tree | ad47c42f2bd4f4cf4148225f132525dd52bead23 | |
parent | df5d9dde49a1b4da4030cb2ca8ca63327fd3d53f (diff) |
- fix #379 Internal API permission issues
-rw-r--r-- | TODO | 2 | ||||
-rw-r--r-- | core/API/Request.php | 17 | ||||
-rw-r--r-- | core/Access.php | 4 | ||||
-rw-r--r-- | core/Controller.php | 6 | ||||
-rw-r--r-- | core/Tracker.php | 2 | ||||
-rw-r--r-- | core/ViewDataTable.php | 4 | ||||
-rw-r--r-- | misc/api_internal_call.php | 5 | ||||
-rw-r--r-- | plugins/API/Controller.php | 31 | ||||
-rw-r--r-- | plugins/Login/Controller.php | 5 | ||||
-rw-r--r-- | plugins/Login/Form.php | 4 | ||||
-rw-r--r-- | plugins/Login/Login.php | 51 | ||||
-rw-r--r-- | plugins/Referers/Controller.php | 4 | ||||
-rw-r--r-- | plugins/VisitFrequency/Controller.php | 3 | ||||
-rw-r--r-- | plugins/VisitsSummary/Controller.php | 9 |
14 files changed, 77 insertions, 70 deletions
@@ -1,4 +1,6 @@ update mechanism? port modification to TIMESTAMP fields in site/user +error message ugly in IE, wrong in chrome +make sure deployement don't include logger in file/db/etc Bugs - google chrome/safari bug with calendar + language dropdown diff --git a/core/API/Request.php b/core/API/Request.php index 704218fddb..09c96a2de1 100644 --- a/core/API/Request.php +++ b/core/API/Request.php @@ -58,8 +58,15 @@ class Piwik_API_Request $request = trim($request); $request = str_replace(array("\n","\t"),'', $request); parse_str($request, $requestArray); - - $requestArray = array_merge( $_REQUEST, $requestArray); + + // if a token_auth is specified in the API request, we load the right permissions + if(isset($requestArray['token_auth'])) + { + Piwik_PostEvent('API.Request.authenticate', $requestArray['token_auth']); + Zend_Registry::get('access')->loadAccess(); + } + + $requestArray = array_merge($_REQUEST, $requestArray); } foreach($requestArray as &$element) @@ -92,7 +99,6 @@ class Piwik_API_Request $response = new Piwik_API_ResponseBuilder($this->request, $outputFormat); try { - // read parameters $moduleMethod = Piwik_Common::getRequestVar('method', null, null, $this->request); @@ -102,11 +108,11 @@ class Piwik_API_Request { throw new Exception_PluginDeactivated($module); } + $className = "Piwik_" . $module . "_API"; + // call the method via the API_Proxy class $api = Piwik_Api_Proxy::getInstance(); $api->registerClass($module); - - $className = "Piwik_" . $module . "_API"; // check method exists $api->checkMethodExists($className, $method); @@ -121,7 +127,6 @@ class Piwik_API_Request $returnedValue = call_user_func_array( array( $api->$module, $method), $finalParameters ); $toReturn = $response->getResponse($returnedValue); - } catch(Exception $e ) { return $response->getResponseException( $e ); } diff --git a/core/Access.php b/core/Access.php index fe8bd202fc..f6251ec2a1 100644 --- a/core/Access.php +++ b/core/Access.php @@ -178,7 +178,7 @@ class Piwik_Access /** * Returns the current user login - * @return string + * @return string|null */ public function getLogin() { @@ -187,7 +187,7 @@ class Piwik_Access /** * Returns the token_auth used to authenticate this user in the API - * @return string + * @return string|null */ public function getTokenAuth() { diff --git a/core/Controller.php b/core/Controller.php index dbc21a418c..432a9e46c1 100644 --- a/core/Controller.php +++ b/core/Controller.php @@ -264,14 +264,16 @@ abstract class Piwik_Controller } else { - if(($currentLogin = Piwik::getCurrentUserLogin()) != 'anonymous') + $currentLogin = Piwik::getCurrentUserLogin(); + if(!empty($currentLogin) + && $currentLogin != 'anonymous') { Piwik_ExitWithMessage( sprintf(Piwik_Translate('CoreHome_NoPrivileges'),$currentLogin). "<br /><br /> <b><a href='?module=Login&action=logout'>› ".Piwik_Translate('General_Logout')."</a></b><br />"); } else { - Piwik_FrontController::dispatch('Login'); + Piwik_FrontController::dispatch('Login', false); } } exit; diff --git a/core/Tracker.php b/core/Tracker.php index 225d7e2234..f0df3d2fcc 100644 --- a/core/Tracker.php +++ b/core/Tracker.php @@ -249,7 +249,7 @@ class Piwik_Tracker } } - private function handleDownload() + private function handleDownloadRedirect() { $downloadVariableName = Piwik_Tracker_Config::getInstance()->Tracker['download_url_var_name']; $urlDownload = Piwik_Common::getRequestVar( $downloadVariableName, '', 'string'); diff --git a/core/ViewDataTable.php b/core/ViewDataTable.php index d367097278..7f95c4b544 100644 --- a/core/ViewDataTable.php +++ b/core/ViewDataTable.php @@ -348,9 +348,7 @@ abstract class Piwik_ViewDataTable // we setup the method and format variable // - we request the method to call to get this specific DataTable // - the format = original specifies that we want to get the original DataTable structure itself, not rendered - $requestString = 'method='.$this->moduleNameAndMethod - .'&format=original' - ; + $requestString = 'method='.$this->moduleNameAndMethod.'&format=original'; if( $this->recursiveDataTableLoad ) { $requestString .= '&expanded=1'; diff --git a/misc/api_internal_call.php b/misc/api_internal_call.php index 346b09ba93..9ea1083e8d 100644 --- a/misc/api_internal_call.php +++ b/misc/api_internal_call.php @@ -4,14 +4,12 @@ define('ENABLE_DISPATCH', false); require_once PIWIK_INCLUDE_PATH . "/index.php"; require_once PIWIK_INCLUDE_PATH . "/core/API/Request.php"; - Piwik_FrontController::getInstance()->init(); // We call the API from a php code // it will check that you have the necessary rights // - either you are loggued in piwik and have a cookie in your browser -// - or you will have to add the token_auth=xxx to the request string to authenticate -// beware that the token_auth changes every time you change your password +// - or you replace the token_auth=xxx to the request string to authenticate $request = new Piwik_API_Request(' method=UserSettings.getResolution &idSite=1 @@ -19,6 +17,7 @@ $request = new Piwik_API_Request(' &period=week &format=XML &filter_limit=3 + &token_auth=anonymous '); $result = $request->process(); echo $result; diff --git a/plugins/API/Controller.php b/plugins/API/Controller.php index dc17e8ce56..b0545ba281 100644 --- a/plugins/API/Controller.php +++ b/plugins/API/Controller.php @@ -20,9 +20,24 @@ class Piwik_API_Controller extends Piwik_Controller { function index() { - $request = new Piwik_API_Request(); + $request = new Piwik_API_Request('token_auth='.Piwik_Common::getRequestVar('token_auth', 'anonymous', 'string')); echo $request->process(); } + + public function listAllMethods() + { + $this->init(); + echo Piwik_API_Proxy::getInstance()->getAllInterfaceString( $outputExampleUrls = true, $prefixUrls = Piwik_Common::getRequestVar('prefixUrl', '') ); + } + + public function listAllAPI() + { + $view = new Piwik_View("API/templates/listAllAPI.tpl"); + $this->setGeneralVariablesView($view); + $view->countLoadedAPI = $this->init(); + $view->list_api_methods_with_links = Piwik_API_Proxy::getInstance()->getAllInterfaceString(); + echo $view->render(); + } protected function init() { @@ -43,20 +58,6 @@ class Piwik_API_Controller extends Piwik_Controller return $loaded; } - function listAllMethods() - { - $this->init(); - echo Piwik_API_Proxy::getInstance()->getAllInterfaceString( $outputExampleUrls = true, $prefixUrls = Piwik_Common::getRequestVar('prefixUrl', '') ); - } - - function listAllAPI() - { - $view = new Piwik_View("API/templates/listAllAPI.tpl"); - $this->setGeneralVariablesView($view); - $view->countLoadedAPI = $this->init(); - $view->list_api_methods_with_links = Piwik_API_Proxy::getInstance()->getAllInterfaceString(); - echo $view->render(); - } } diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index 8ec02e4776..fbee6a38e0 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -30,7 +30,7 @@ class Piwik_Login_Controller extends Piwik_Controller // get url from POSTed form or GET parameter (getting back from password remind form) $urlToRedirect = Piwik_Common::getRequestVar('form_url', htmlspecialchars(Piwik_Url::getCurrentUrl()), 'string'); - + $urlToRedirect = htmlspecialchars_decode($urlToRedirect); if($form->validate()) { $login = $form->getSubmitValue('form_login'); @@ -71,9 +71,10 @@ class Piwik_Login_Controller extends Piwik_Controller $password = md5($password); } $tokenAuth = Piwik_UsersManager_API::getTokenAuth($login, $password); - Piwik_Login::prepareAuthObject($login, $tokenAuth); $auth = Zend_Registry::get('auth'); + $auth->setLogin($login); + $auth->setTokenAuth($tokenAuth); $authResult = $auth->authenticate(); if($authResult->isValid()) { diff --git a/plugins/Login/Form.php b/plugins/Login/Form.php index 32932851df..574ca476f2 100644 --- a/plugins/Login/Form.php +++ b/plugins/Login/Form.php @@ -34,14 +34,12 @@ class Piwik_Login_Form extends Piwik_Form { $urlToGoAfter = Piwik_Url::getReferer(); } - $formElements = array( array('text', 'form_login'), array('password', 'form_password'), - array('hidden', 'form_url', $urlToGoAfter), + array('hidden', 'form_url', $urlToGoAfter) ); $this->addElements( $formElements ); - $formRules = array( array('form_login', sprintf(Piwik_Translate('General_Required'), Piwik_Translate('Login_Login')), 'required'), array('form_password', sprintf(Piwik_Translate('General_Required'), Piwik_Translate('Login_Password')), 'required'), diff --git a/plugins/Login/Login.php b/plugins/Login/Login.php index d5fdbdd747..91cb94d52a 100644 --- a/plugins/Login/Login.php +++ b/plugins/Login/Login.php @@ -35,6 +35,7 @@ class Piwik_Login extends Piwik_Plugin $hooks = array( 'FrontController.initAuthenticationObject' => 'initAuthenticationObject', 'FrontController.NoAccessException' => 'noAccess', + 'API.Request.authenticate' => 'ApiRequestAuthenticate', ); return $hooks; } @@ -48,39 +49,35 @@ class Piwik_Login extends Piwik_Plugin $controller->login($exceptionMessage); } + function ApiRequestAuthenticate($notification) + { + $tokenAuth = $notification->getNotificationObject(); + Zend_Registry::get('auth')->setTokenAuth($tokenAuth); + } + function initAuthenticationObject($notification) { - $authAdapter = new Piwik_Login_Auth(); - Zend_Registry::set('auth', $authAdapter); + $auth = new Piwik_Login_Auth(); + Zend_Registry::set('auth', $auth); - if(Piwik::getModule() === 'API' && Piwik::getAction() != 'listAllAPI') + $action = Piwik::getAction(); + if(Piwik::getModule() === 'API' + && (empty($action) || $action == 'index')) { - $tokenAuthAPIInUrl = Piwik_Common::getRequestVar('token_auth', 'anonymous', 'string'); - if( !empty($tokenAuthAPIInUrl)) - { - $authAdapter->setTokenAuth($tokenAuthAPIInUrl); - } + return; } - else + + $authCookieName = 'piwik-auth'; + $authCookieExpiry = time() + 3600; + $authCookie = new Piwik_Cookie($authCookieName, $authCookieExpiry); + $defaultLogin = 'anonymous'; + $defaultTokenAuth = 'anonymous'; + if($authCookie->isCookieFound()) { - $authCookieName = 'piwik-auth'; - $authCookieExpiry = time() + 3600; - $authCookie = new Piwik_Cookie($authCookieName, $authCookieExpiry); - $defaultLogin = 'anonymous'; - $defaultTokenAuth = 'anonymous'; - if($authCookie->isCookieFound()) - { - $defaultLogin = $authCookie->get('login'); - $defaultTokenAuth = $authCookie->get('token_auth'); - } - self::prepareAuthObject($defaultLogin, $defaultTokenAuth); + $defaultLogin = $authCookie->get('login'); + $defaultTokenAuth = $authCookie->get('token_auth'); } - } - - static function prepareAuthObject( $login, $tokenAuth ) - { - $auth = Zend_Registry::get('auth'); - $auth->setLogin($login); - $auth->setTokenAuth($tokenAuth); + $auth->setLogin($defaultLogin); + $auth->setTokenAuth($defaultTokenAuth); } } diff --git a/plugins/Referers/Controller.php b/plugins/Referers/Controller.php index 37bcfbdc39..5051a00a35 100644 --- a/plugins/Referers/Controller.php +++ b/plugins/Referers/Controller.php @@ -236,7 +236,9 @@ class Piwik_Referers_Controller extends Piwik_Controller // we disable the queued filters because here we want to get the visits coming from search engines // if the filters were applied we would have to look up for a label looking like "Search Engines" // which is not good when we have translations - $requestString = 'method='."Referers.getRefererType".'&format=original'.'&disable_queued_filters=1'; + $requestString = "method=Referers.getRefererType + &format=original + &disable_queued_filters=1"; $request = new Piwik_API_Request($requestString); return $request->process(); } diff --git a/plugins/VisitFrequency/Controller.php b/plugins/VisitFrequency/Controller.php index 1864eea059..c3ce1a01bb 100644 --- a/plugins/VisitFrequency/Controller.php +++ b/plugins/VisitFrequency/Controller.php @@ -37,7 +37,8 @@ class Piwik_VisitFrequency_Controller extends Piwik_Controller protected function getSummary() { - $requestString = 'method='."VisitFrequency.getSummary".'&format=original'; + $requestString = "method=VisitFrequency.getSummary + &format=original"; $request = new Piwik_API_Request($requestString); return $request->process(); } diff --git a/plugins/VisitsSummary/Controller.php b/plugins/VisitsSummary/Controller.php index 3574f5fec6..af389c2470 100644 --- a/plugins/VisitsSummary/Controller.php +++ b/plugins/VisitsSummary/Controller.php @@ -40,10 +40,11 @@ class Piwik_VisitsSummary_Controller extends Piwik_Controller static public function getVisitsSummary() { - $requestString = 'method=VisitsSummary.get&format=original'. - // we disable filters for example "search for pattern", in the case this method is called - // by a method that already calls the API with some generic filters applied - '&disable_generic_filters=true'; + $requestString = "method=VisitsSummary.get + &format=original". + // we disable filters for example "search for pattern", in the case this method is called + // by a method that already calls the API with some generic filters applied + "&disable_generic_filters=true"; $request = new Piwik_API_Request($requestString); return $request->process(); } |