diff options
author | Thomas Steur <thomas.steur@googlemail.com> | 2014-03-04 03:20:28 +0400 |
---|---|---|
committer | Thomas Steur <thomas.steur@googlemail.com> | 2014-03-04 05:59:16 +0400 |
commit | 18928589a5a035b543138c240545a5f63b0f0af6 (patch) | |
tree | 71a1552bbaa7644da4f59288d19eb009fbc952f4 | |
parent | 9517ea96342e6c4724005e3066bbdfeb90b47ccd (diff) |
refs #4747 verify user has at least view access for the site
-rw-r--r-- | plugins/ScheduledReports/API.php | 20 | ||||
-rw-r--r-- | plugins/SitesManager/API.php | 4 |
2 files changed, 24 insertions, 0 deletions
diff --git a/plugins/ScheduledReports/API.php b/plugins/ScheduledReports/API.php index e7771d1f8a..e5926e1b44 100644 --- a/plugins/ScheduledReports/API.php +++ b/plugins/ScheduledReports/API.php @@ -12,9 +12,11 @@ use Exception; use Piwik\Common; use Piwik\Date; use Piwik\Db; +use Piwik\NoAccessException; use Piwik\Piwik; use Piwik\Plugins\LanguagesManager\LanguagesManager; use Piwik\Plugins\SegmentEditor\API as APISegmentEditor; +use Piwik\Plugins\SitesManager\API as SitesManagerApi; use Piwik\ReportRenderer; use Piwik\ReportRenderer\Html; use Piwik\Site; @@ -288,8 +290,11 @@ class API extends \Piwik\Plugin\API $report = reset($reports); $idSite = $report['idsite']; + $login = $report['login']; $reportType = $report['type']; + $this->checkUserHasViewPermission($login, $idSite); + // override report period if (empty($period)) { $period = $report['period']; @@ -935,4 +940,19 @@ class API extends \Piwik\Plugin\API return $additionalFile; } + + private function checkUserHasViewPermission($login, $idSite) + { + if (empty($idSite)) { + return; + } + + $idSitesUserHasAccess = SitesManagerApi::getInstance()->getSitesIdWithAtLeastViewAccess($login); + + if (empty($idSitesUserHasAccess) + || !in_array($idSite, $idSitesUserHasAccess) + ) { + throw new NoAccessException(Piwik::translate('General_ExceptionPrivilege', array("'view'"))); + } + } } diff --git a/plugins/SitesManager/API.php b/plugins/SitesManager/API.php index 386734e1f8..222f3be7af 100644 --- a/plugins/SitesManager/API.php +++ b/plugins/SitesManager/API.php @@ -340,6 +340,10 @@ class API extends \Piwik\Plugin\API || TaskScheduler::isTaskBeingExecuted()) ) { + if (Piwik::hasTheUserSuperUserAccess($_restrictSitesToLogin)) { + return Access::getInstance()->getSitesIdWithAtLeastViewAccess(); + } + $accessRaw = Access::getInstance()->getRawSitesWithSomeViewAccess($_restrictSitesToLogin); $sitesId = array(); foreach ($accessRaw as $access) { |