diff options
author | Stefan Giehl <stefan@matomo.org> | 2022-02-16 00:59:43 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-16 00:59:43 +0300 |
commit | 86b58ed26f82f7b6ddd683a0d2dfb886f73d31e8 (patch) | |
tree | c625c60fb5595caa8a14551b840eb5a5a87bc1ac /plugins/Dashboard | |
parent | 8770ed05a81c9f47c28231bdbc63693cfe2a09c0 (diff) |
Ensure Dashboard API methods can't be performed by or for anonymous user (#18798)
Diffstat (limited to 'plugins/Dashboard')
-rw-r--r-- | plugins/Dashboard/API.php | 15 | ||||
-rw-r--r-- | plugins/Dashboard/tests/Integration/APITest.php | 86 |
2 files changed, 100 insertions, 1 deletions
diff --git a/plugins/Dashboard/API.php b/plugins/Dashboard/API.php index 77d6cc0a36..82f9b15337 100644 --- a/plugins/Dashboard/API.php +++ b/plugins/Dashboard/API.php @@ -8,6 +8,7 @@ namespace Piwik\Plugins\Dashboard; use Piwik\API\Request; +use Piwik\NoAccessException; use Piwik\Piwik; /** @@ -67,6 +68,7 @@ class API extends \Piwik\Plugin\API */ public function createNewDashboardForUser($login, $dashboardName = '', $addDefaultWidgets = true) { + $this->checkLoginIsNotAnonymous($login); Piwik::checkUserHasSuperUserAccessOrIsTheUser($login); $layout = '{}'; @@ -95,6 +97,7 @@ class API extends \Piwik\Plugin\API { $login = $login ? $login : Piwik::getCurrentUserLogin(); + $this->checkLoginIsNotAnonymous($login); Piwik::checkUserHasSuperUserAccessOrIsTheUser($login); $this->model->deleteDashboardForUser($idDashboard, $login); @@ -150,8 +153,9 @@ class API extends \Piwik\Plugin\API */ public function resetDashboardLayout($idDashboard, $login='') { - $login = $login ? $login : Piwik::getCurrentUserLogin(); + $login = $login ?: Piwik::getCurrentUserLogin(); + $this->checkLoginIsNotAnonymous($login); Piwik::checkUserHasSuperUserAccessOrIsTheUser($login); $layout = $this->dashboard->getDefaultLayout(); @@ -216,6 +220,15 @@ class API extends \Piwik\Plugin\API return $widgets; } + private function checkLoginIsNotAnonymous($login) + { + Piwik::checkUserIsNotAnonymous(); + + if ($login === 'anonymous') { + throw new \Exception('This method can\'t be performed for anonymous user'); + } + } + private function getColumnsFromDashboard($dashboard) { if (empty($dashboard['layout'])) { diff --git a/plugins/Dashboard/tests/Integration/APITest.php b/plugins/Dashboard/tests/Integration/APITest.php index 1e1cbbd1fa..829b8b8ba4 100644 --- a/plugins/Dashboard/tests/Integration/APITest.php +++ b/plugins/Dashboard/tests/Integration/APITest.php @@ -9,6 +9,7 @@ namespace Piwik\Plugins\Dashboard\tests\Integration; use Piwik\Plugins\Dashboard\API; +use Piwik\Plugins\Dashboard\Dashboard; use Piwik\Plugins\Dashboard\Model; use Piwik\Plugins\UsersManager; use Piwik\Tests\Framework\Fixture; @@ -125,6 +126,30 @@ class APITest extends IntegrationTestCase $this->api->createNewDashboardForUser('eva', 'name', $layout); } + public function testCreateNewDashboardForAnonymousDoesNotWork() + { + $this->expectException(\Exception::class); + $this->expectExceptionMessage('General_YouMustBeLoggedIn'); + + FakeAccess::$superUser = false; + FakeAccess::$identity = 'anonymous'; + + $layout ='[[{"uniqueId":"widgetLivewidget","parameters":{"module":"Live","action":"widget"}}]]'; + $this->api->createNewDashboardForUser('anonymous', 'name', $layout); + } + + public function testCreateNewDashboardForAnonymousDoesNotWorkForSuperUser() + { + $this->expectException(\Exception::class); + $this->expectExceptionMessage('This method can\'t be performed for anonymous user'); + + FakeAccess::$superUser = true; + FakeAccess::$identity = 'eva'; + + $layout ='[[{"uniqueId":"widgetLivewidget","parameters":{"module":"Live","action":"widget"}}]]'; + $this->api->createNewDashboardForUser('anonymous', 'name', $layout); + } + public function testCreateNewDashboardForUserHimself() { FakeAccess::$superUser = false; @@ -174,6 +199,28 @@ class APITest extends IntegrationTestCase $this->api->copyDashboardToUser(5, 'eva', 'new name'); } + public function testRemoveDashboardForAnonymousDoesntWork() + { + $this->expectException(\Exception::class); + $this->expectExceptionMessage('General_YouMustBeLoggedIn'); + + FakeAccess::$superUser = false; + FakeAccess::$identity = 'anonymous'; + + $this->api->removeDashboard(1, 'anonymous'); + } + + public function testRemoveDashboardForAnonymousDoesntWorkForSuperUser() + { + $this->expectException(\Exception::class); + $this->expectExceptionMessage('This method can\'t be performed for anonymous user'); + + FakeAccess::$superUser = true; + FakeAccess::$identity = 'eva'; + + $this->api->removeDashboard(1, 'anonymous'); + } + public function testRemoveDashboardForUserHimself() { FakeAccess::$superUser = false; @@ -231,6 +278,45 @@ class APITest extends IntegrationTestCase $this->assertEmpty($dashboards); } + public function testResetDashboardForAnonymousDoesntWork() + { + FakeAccess::$superUser = false; + FakeAccess::$identity = 'anonymous'; + + $this->expectException(\Exception::class); + $this->expectExceptionMessage('General_YouMustBeLoggedIn'); + + $this->api->resetDashboardLayout(1, 'anonymous'); + } + + public function testResetDashboardForAnonymousDoesntWorkForSuperUser() + { + FakeAccess::$superUser = true; + FakeAccess::$identity = 'eva'; + + $this->expectException(\Exception::class); + $this->expectExceptionMessage('This method can\'t be performed for anonymous user'); + + $this->api->resetDashboardLayout(1, 'anonymous'); + } + + public function testResetDashboard() + { + $db = new Dashboard(); + $dashboards = $this->model->getAllDashboardsForUser('eva'); + $this->assertEmpty($dashboards); + + $id = $this->api->createNewDashboardForUser('eva', 'name', false); + + $dashboard = $db->getLayoutForUser('eva', $id); + $this->assertEquals('{}', $dashboard); + + $this->api->resetDashboardLayout($id, 'eva'); + + $dashboard = $db->getLayoutForUser('eva', $id); + $this->assertEquals($db->getDefaultLayout(), $dashboard); + } + public function provideContainerConfig() { return array( |