diff options
author | Kate Butler <kate@innocraft.com> | 2019-05-03 00:09:59 +0300 |
---|---|---|
committer | Thomas Steur <tsteur@users.noreply.github.com> | 2019-05-03 00:09:59 +0300 |
commit | 3492c37659ff9d5368d8b43827466e0edae6f392 (patch) | |
tree | f5cf2d0d6964ef13e22cbef12712e2fafc7ac923 /plugins | |
parent | cbd5899aab6276544d7ba2b51946839bb63bec62 (diff) |
Require password confirmation before installing plugins (#14387)
* Require password confirmation before installing plugins
* Simpler workflow for incorrect password when uploading plugin
* Refactoring
* PR changes
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/CorePluginsAdmin/Controller.php | 23 | ||||
-rw-r--r-- | plugins/Marketplace/Controller.php | 33 | ||||
-rw-r--r-- | plugins/Marketplace/templates/uploadPluginDialog.twig | 5 |
3 files changed, 53 insertions, 8 deletions
diff --git a/plugins/CorePluginsAdmin/Controller.php b/plugins/CorePluginsAdmin/Controller.php index bbcd04cb9f..61fd7a105f 100644 --- a/plugins/CorePluginsAdmin/Controller.php +++ b/plugins/CorePluginsAdmin/Controller.php @@ -21,6 +21,7 @@ use Piwik\Notification; use Piwik\Piwik; use Piwik\Plugin; use Piwik\Plugins\CorePluginsAdmin\Model\TagManagerTeaser; +use Piwik\Plugins\Login\PasswordVerifier; use Piwik\Plugins\Marketplace\Marketplace; use Piwik\Plugins\Marketplace\Controller as MarketplaceController; use Piwik\Plugins\Marketplace\Plugins; @@ -62,18 +63,29 @@ class Controller extends Plugin\ControllerAdmin private $marketplacePlugins; /** + * @var PasswordVerifier + */ + private $passwordVerify; + + /** * Controller constructor. * @param Translator $translator * @param Plugin\SettingsProvider $settingsProvider * @param PluginInstaller $pluginInstaller * @param Plugins $marketplacePlugins + * @param PasswordVerifier $passwordVerify */ - public function __construct(Translator $translator, Plugin\SettingsProvider $settingsProvider, PluginInstaller $pluginInstaller, $marketplacePlugins = null) - { + public function __construct(Translator $translator, + Plugin\SettingsProvider $settingsProvider, + PluginInstaller $pluginInstaller, + PasswordVerifier $passwordVerify, + $marketplacePlugins = null + ) { $this->translator = $translator; $this->settingsProvider = $settingsProvider; $this->pluginInstaller = $pluginInstaller; $this->pluginManager = Plugin\Manager::getInstance(); + $this->passwordVerify = $passwordVerify; if (!empty($marketplacePlugins)) { $this->marketplacePlugins = $marketplacePlugins; @@ -102,6 +114,13 @@ class Controller extends Plugin\ControllerAdmin Nonce::discardNonce(MarketplaceController::INSTALL_NONCE); + if (!$this->passwordVerify->isPasswordCorrect( + Piwik::getCurrentUserLogin(), + Common::getRequestVar('confirmPassword', null, 'string') + )) { + throw new \Exception($this->translator->translate('Login_LoginPasswordNotCorrect')); + } + if (empty($_FILES['pluginZip'])) { throw new \Exception('You did not specify a ZIP file.'); } diff --git a/plugins/Marketplace/Controller.php b/plugins/Marketplace/Controller.php index ca39fc1958..49434de8ff 100644 --- a/plugins/Marketplace/Controller.php +++ b/plugins/Marketplace/Controller.php @@ -19,6 +19,7 @@ use Piwik\Plugin; use Piwik\Plugins\CorePluginsAdmin\Controller as PluginsController; use Piwik\Plugins\CorePluginsAdmin\CorePluginsAdmin; use Piwik\Plugins\CorePluginsAdmin\PluginInstaller; +use Piwik\Plugins\Login\PasswordVerifier; use Piwik\Plugins\Marketplace\Input\Mode; use Piwik\Plugins\Marketplace\Input\PluginName; use Piwik\Plugins\Marketplace\Input\PurchaseType; @@ -68,8 +69,19 @@ class Controller extends \Piwik\Plugin\ControllerAdmin */ private $environment; - public function __construct(LicenseKey $licenseKey, Plugins $plugins, Api\Client $marketplaceApi, Consumer $consumer, PluginInstaller $pluginInstaller, Environment $environment) - { + /** + * @var PasswordVerifier + */ + private $passwordVerify; + + public function __construct(LicenseKey $licenseKey, + Plugins $plugins, + Api\Client $marketplaceApi, + Consumer $consumer, + PluginInstaller $pluginInstaller, + Environment $environment, + PasswordVerifier $passwordVerify + ) { $this->licenseKey = $licenseKey; $this->plugins = $plugins; $this->marketplaceApi = $marketplaceApi; @@ -77,6 +89,7 @@ class Controller extends \Piwik\Plugin\ControllerAdmin $this->pluginInstaller = $pluginInstaller; $this->pluginManager = Plugin\Manager::getInstance(); $this->environment = $environment; + $this->passwordVerify = $passwordVerify; parent::__construct(); } @@ -381,10 +394,18 @@ class Controller extends \Piwik\Plugin\ControllerAdmin public function installPlugin() { - $view = $this->createUpdateOrInstallView('installPlugin', static::INSTALL_NONCE); - $view->nonce = Nonce::getNonce(PluginsController::ACTIVATE_NONCE); - - return $view->render(); + $params = array( + 'module' => 'Marketplace', + 'action' => 'installPlugin', + 'mode' => 'admin', + 'pluginName' => Common::getRequestVar('pluginName'), + 'nonce' => Common::getRequestVar('nonce') + ); + if ($this->passwordVerify->requirePasswordVerifiedRecently($params)) { + $view = $this->createUpdateOrInstallView('installPlugin', static::INSTALL_NONCE); + $view->nonce = Nonce::getNonce(PluginsController::ACTIVATE_NONCE); + return $view->render(); + } } private function createUpdateOrInstallView($template, $nonceName) diff --git a/plugins/Marketplace/templates/uploadPluginDialog.twig b/plugins/Marketplace/templates/uploadPluginDialog.twig index 5770d5fb31..7da4efddc5 100644 --- a/plugins/Marketplace/templates/uploadPluginDialog.twig +++ b/plugins/Marketplace/templates/uploadPluginDialog.twig @@ -8,6 +8,11 @@ action="{{ linkTo({'module':'CorePluginsAdmin', 'action':'uploadPlugin', 'nonce': installNonce}) }}"> <input type="file" name="pluginZip"> <br /> + <div piwik-field uicontrol="password" name="confirmPassword" autocomplete="off" + data-title="{{ 'Login_ConfirmPasswordToContinue'|translate|e('html_attr') }}" + value=""> + </div> + <input class="startUpload btn" type="submit" value="{{ 'Marketplace_UploadZipFile'|translate }}"> </form> {% else %} |