Only allow widgetize and token usage for view users (#16263)

11 files changed, 33 insertions, 17 deletions

diff --git a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
new file mode 100644
index 0000000000..5b0a68c035
--- /dev/null
+++ b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc
+size 48697
diff --git a/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png b/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png
index 1fea0f9c9f..9b089b4875 100644
--- a/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png
+++ b/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3cb89b82fc84803436dfceb89ff0fe2fc27c39f73e7a0932cdc38335c220b380
-size 366894
+oid sha256:c870b64bea3a0233c602e70e2cd7b4da5820182d08056fe85965444d6cd524a5
+size 366822
diff --git a/tests/UI/expected-screenshots/Theme_home.png b/tests/UI/expected-screenshots/Theme_home.png
index ad1ca26680..059f6d3e6a 100644
--- a/tests/UI/expected-screenshots/Theme_home.png
+++ b/tests/UI/expected-screenshots/Theme_home.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5e843176745f9b331cda7744342745c52d231162970bb2a546bfd19401c72fbc
-size 728484
+oid sha256:ba8159f75e3c61863df48e676d21ff8522160fa22649d0fa3c2eedbe2a5d9353
+size 728419
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png
index 1c1e01bff8..f6ff75bd8a 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c4ee6d92d654a5855ba2d4ff82d66ea8f7d8eb31760c25701256ac9009c2fbad
-size 149517
+oid sha256:e120afc0acdc1a94cb2493d2713a3d936f92f85b92f048b45e5be1373a1a0a7a
+size 149461
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
new file mode 100644
index 0000000000..5b0a68c035
--- /dev/null
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc
+size 48697
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png
index a7cef66fa1..fae1adeac8 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8475ddc200fafc929289c5a0791cdc715eb64ee3cd04d6c08f0a702259169088
-size 79115
+oid sha256:840c3fbca67d466ec8079b402da4ef5f7f74286fc8e6978e5a09248d6196d068
+size 79078
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png b/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png
index 1c1e01bff8..f6ff75bd8a 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c4ee6d92d654a5855ba2d4ff82d66ea8f7d8eb31760c25701256ac9009c2fbad
-size 149517
+oid sha256:e120afc0acdc1a94cb2493d2713a3d936f92f85b92f048b45e5be1373a1a0a7a
+size 149461
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png b/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png
index 758e4fd08c..0151f336e5 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1802cb493b280d29cd404c8ef7bb38d5c76a149a4977531f890a5532151bb006
-size 652951
+oid sha256:dcef79816dcd6b1fedda86f25f2cbb2ec85b0101568cc3b6bf5e717e980aa89a
+size 652880
diff --git a/tests/UI/specs/BarGraph_spec.js b/tests/UI/specs/BarGraph_spec.js
index 6d1c63c66f..7ef3a562e5 100644
--- a/tests/UI/specs/BarGraph_spec.js
+++ b/tests/UI/specs/BarGraph_spec.js
@@ -10,8 +10,7 @@
 describe("BarGraph", function () {
     var tokenAuth = "c4ca4238a0b923820dcc509a6f75849b", // md5('superUserLogin' . md5('superUserPass'))
         url = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
-            + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&"
-            + "token_auth=" + tokenAuth;
+            + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&";
 
     before(function () {
         // use real auth + token auth to test that auth works when widgetizing reports in an iframe
@@ -19,8 +18,13 @@ describe("BarGraph", function () {
         testEnvironment.save();
     });
 
+    it("should fail when admin token is used", async function () {
+        await page.goto(url + 'token_auth=' + tokenAuth);
+        expect(await page.screenshot({ fullPage: true })).to.matchImage('load_fail_when_token_used');
+    });
+
     it("should load correctly", async function () {
-        await page.goto(url);
+        await page.goto(url + 'token_auth=a4ca4238a0b923820dcc509a6f75849f');
         expect(await page.screenshot({ fullPage: true })).to.matchImage('load');
     });
 
diff --git a/tests/UI/specs/Comparison_spec.js b/tests/UI/specs/Comparison_spec.js
index e31a48f5a6..43340c8ad1 100644
--- a/tests/UI/specs/Comparison_spec.js
+++ b/tests/UI/specs/Comparison_spec.js
@@ -17,10 +17,10 @@ describe("Comparison", function () {
         compareParams = comparePeriod + compareSegment,
         barGraphUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&"
-            + "token_auth=" + tokenAuth + compareParams,
+            + compareParams,
         pieGraphUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=graphPie&isFooterExpandedInDashboard=1&"
-            + "token_auth=" + tokenAuth + compareParams,
+            + compareParams,
         goalsTableUrl =  "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=tableGoals&filter_limit=5&isFooterExpandedInDashboard=1" + compareParams,
         htmlTableUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
diff --git a/tests/UI/specs/UIIntegration_spec.js b/tests/UI/specs/UIIntegration_spec.js
index 7b18b1a809..00f3f19e66 100644
--- a/tests/UI/specs/UIIntegration_spec.js
+++ b/tests/UI/specs/UIIntegration_spec.js
@@ -731,6 +731,12 @@ describe("UIIntegrationTest", function () { // TODO: Rename to Piwik?
     describe("AdminPages", function () {
         this.title = parentSuite.title; // to make sure the screenshot prefix is the same
 
+        it('should not be possible to render any action using token_auth with at least some admin access', async function () {
+            await page.goto("?" + generalParams + "&module=CoreAdminHome&action=home&token_auth=c4ca4238a0b923820dcc509a6f75849b");
+
+            expect(await page.screenshot({ fullPage: true })).to.matchImage('admin_home_admintoken_not_allowed');
+        });
+
         it('should load the Admin home page correct', async function () {
             await page.goto("?" + generalParams + "&module=CoreAdminHome&action=home");