Require password confirmation before setting/removing superuser access. (#13975)

* Require password confirmation for changing superuser access and fix issue where getSiteAccess is called w/ superuser when toggling superuser access.

* apply review feedback

* Allow bypassing password confirmation in certain scenarios.

* Fixing tests & adding UI test.

* Update submodule.

* test fixes + remove return; from 2fa tests.

* update submodule

* Fixing tests

* Couple tweaks for screenshot testing.

* test fixes

* Fix TwoFactorAuthUsersManager test.

* More test fixes.

* try to disable all transitions

* More UI test fixes + disable materialize animations globally in UI tests.

* 2fa ui tests now working

1 files changed, 5 insertions, 3 deletions

diff --git a/plugins/Installation/Controller.php b/plugins/Installation/Controller.php
index 8dd65f6899..ee9160af07 100644
--- a/plugins/Installation/Controller.php
+++ b/plugins/Installation/Controller.php
@@ -26,6 +26,7 @@ use Piwik\Plugins\Diagnostics\DiagnosticService;
 use Piwik\Plugins\LanguagesManager\LanguagesManager;
 use Piwik\Plugins\SitesManager\API as APISitesManager;
 use Piwik\Plugins\UsersManager\API as APIUsersManager;
+use Piwik\Plugins\UsersManager\UserUpdater;
 use Piwik\ProxyHeaders;
 use Piwik\SettingsPiwik;
 use Piwik\Tracker\TrackerCodeGenerator;
@@ -680,11 +681,12 @@ class Controller extends \Piwik\Plugin\ControllerAdmin
 
     private function createSuperUser($login, $password, $email)
     {
-        $self = $this;
-        Access::doAsSuperUser(function () use ($self, $login, $password, $email) {
+        Access::doAsSuperUser(function () use ($login, $password, $email) {
             $api = APIUsersManager::getInstance();
             $api->addUser($login, $password, $email);
-            $api->setSuperUserAccess($login, true);
+
+            $userUpdater = new UserUpdater();
+            $userUpdater->setSuperUserAccessWithoutCurrentPassword($login, true);
         });
     }