Only allow widgetize and token usage for view users (#16263)

15 files changed, 68 insertions, 19 deletions

diff --git a/tests/PHPUnit/Fixtures/UITestFixture.php b/tests/PHPUnit/Fixtures/UITestFixture.php
index 7ea86b7569..567b106921 100644
--- a/tests/PHPUnit/Fixtures/UITestFixture.php
+++ b/tests/PHPUnit/Fixtures/UITestFixture.php
@@ -127,6 +127,19 @@ class UITestFixture extends SqlDump
         );
 
         $this->addDangerousLinks();
+
+        $model = new \Piwik\Plugins\UsersManager\Model();
+        $user  = $model->getUser(self::VIEW_USER_LOGIN);
+
+        if (empty($user)) {
+            $model->addUser(self::VIEW_USER_LOGIN, self::VIEW_USER_PASSWORD, 'hello2@example.org', Date::now()->getDatetime());
+            $model->addUserAccess(self::VIEW_USER_LOGIN, 'view', array(1));
+        } else {
+            $model->updateUser(self::VIEW_USER_LOGIN, self::VIEW_USER_PASSWORD, 'hello2@example.org');
+        }
+        if (!$model->getUserByTokenAuth(self::VIEW_USER_TOKEN)) {
+            $model->addTokenAuth(self::VIEW_USER_LOGIN,self::VIEW_USER_TOKEN, 'View user token', Date::now()->getDatetime());
+        }
     }
 
     public function performSetUp($setupEnvironmentOnly = false)
diff --git a/tests/PHPUnit/Framework/Fixture.php b/tests/PHPUnit/Framework/Fixture.php
index 2a7cadaf95..97258b3550 100644
--- a/tests/PHPUnit/Framework/Fixture.php
+++ b/tests/PHPUnit/Framework/Fixture.php
@@ -83,6 +83,10 @@ class Fixture extends \PHPUnit\Framework\Assert
     const ADMIN_USER_PASSWORD = 'superUserPass';
     const ADMIN_USER_TOKEN = 'c4ca4238a0b923820dcc509a6f75849b';
 
+    const VIEW_USER_LOGIN = 'viewUserLogin';
+    const VIEW_USER_PASSWORD = 'viewUserPass';
+    const VIEW_USER_TOKEN = 'a4ca4238a0b923820dcc509a6f75849f';
+
     const PERSIST_FIXTURE_DATA_ENV = 'PERSIST_FIXTURE_DATA';
 
     public $dbName = false;
diff --git a/tests/PHPUnit/Integration/FrontControllerTest.php b/tests/PHPUnit/Integration/FrontControllerTest.php
index 8699da62ea..8a4945dec5 100644
--- a/tests/PHPUnit/Integration/FrontControllerTest.php
+++ b/tests/PHPUnit/Integration/FrontControllerTest.php
@@ -48,7 +48,7 @@ FORMAT;
         $this->assertEquals('error', $response['result']);
 
         $expectedFormat = <<<FORMAT
-test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(802): Piwik\EventDispatcher-&gt;postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(569): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(165): Piwik\FrontController-&gt;doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController-&gt;dispatch('CoreHome', 'index') #6 {main}
+test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(802): Piwik\EventDispatcher-&gt;postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(574): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(165): Piwik\FrontController-&gt;doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController-&gt;dispatch('CoreHome', 'index') #6 {main}
 FORMAT;
         $this->assertStringMatchesFormat($expectedFormat, $response['message']);
     }
diff --git a/tests/PHPUnit/System/CookieTest.php b/tests/PHPUnit/System/CookieTest.php
index 0c5d709a5b..bd32beea96 100644
--- a/tests/PHPUnit/System/CookieTest.php
+++ b/tests/PHPUnit/System/CookieTest.php
@@ -8,9 +8,11 @@
  */
 namespace Piwik\Tests\System;
 
+use Piwik\Access;
 use Piwik\Config;
 use Piwik\SettingsPiwik;
 use Piwik\Tests\Framework\Fixture;
+use Piwik\Tests\Framework\Mock\FakeAccess;
 use Piwik\Tests\Framework\TestCase\SystemTestCase;
 
 class CookieTest extends SystemTestCase
@@ -83,7 +85,6 @@ class CookieTest extends SystemTestCase
             'period' => 'day',
             'date' => 'yesterday',
             'ignoreSalt' => md5(SettingsPiwik::getSalt()),
-            'token_auth' => $tokenAuth
         );
 
         $url = $matomoUrl . 'index.php?' . http_build_query($params);
@@ -105,4 +106,19 @@ class CookieTest extends SystemTestCase
     {
         self::assertStringContainsString('SameSite=' . $expectedSameSite, $cookieHeader);
     }
+
+    /**
+     * Use this method to return custom container configuration that you want to apply for the tests.
+     * This configuration will override Fixture config.
+     *
+     * @return array
+     */
+    public static function provideContainerConfigBeforeClass()
+    {
+        $fakeAccess = new FakeAccess();
+        $fakeAccess->setSuperUserAccess(true);
+        return [
+            Access::class => $fakeAccess
+        ];
+    }
 }
\ No newline at end of file
diff --git a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
new file mode 100644
index 0000000000..5b0a68c035
--- /dev/null
+++ b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc
+size 48697
diff --git a/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png b/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png
index 1fea0f9c9f..9b089b4875 100644
--- a/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png
+++ b/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3cb89b82fc84803436dfceb89ff0fe2fc27c39f73e7a0932cdc38335c220b380
-size 366894
+oid sha256:c870b64bea3a0233c602e70e2cd7b4da5820182d08056fe85965444d6cd524a5
+size 366822
diff --git a/tests/UI/expected-screenshots/Theme_home.png b/tests/UI/expected-screenshots/Theme_home.png
index ad1ca26680..059f6d3e6a 100644
--- a/tests/UI/expected-screenshots/Theme_home.png
+++ b/tests/UI/expected-screenshots/Theme_home.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5e843176745f9b331cda7744342745c52d231162970bb2a546bfd19401c72fbc
-size 728484
+oid sha256:ba8159f75e3c61863df48e676d21ff8522160fa22649d0fa3c2eedbe2a5d9353
+size 728419
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png
index 1c1e01bff8..f6ff75bd8a 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c4ee6d92d654a5855ba2d4ff82d66ea8f7d8eb31760c25701256ac9009c2fbad
-size 149517
+oid sha256:e120afc0acdc1a94cb2493d2713a3d936f92f85b92f048b45e5be1373a1a0a7a
+size 149461
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
new file mode 100644
index 0000000000..5b0a68c035
--- /dev/null
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc
+size 48697
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png
index a7cef66fa1..fae1adeac8 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8475ddc200fafc929289c5a0791cdc715eb64ee3cd04d6c08f0a702259169088
-size 79115
+oid sha256:840c3fbca67d466ec8079b402da4ef5f7f74286fc8e6978e5a09248d6196d068
+size 79078
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png b/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png
index 1c1e01bff8..f6ff75bd8a 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c4ee6d92d654a5855ba2d4ff82d66ea8f7d8eb31760c25701256ac9009c2fbad
-size 149517
+oid sha256:e120afc0acdc1a94cb2493d2713a3d936f92f85b92f048b45e5be1373a1a0a7a
+size 149461
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png b/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png
index 758e4fd08c..0151f336e5 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1802cb493b280d29cd404c8ef7bb38d5c76a149a4977531f890a5532151bb006
-size 652951
+oid sha256:dcef79816dcd6b1fedda86f25f2cbb2ec85b0101568cc3b6bf5e717e980aa89a
+size 652880
diff --git a/tests/UI/specs/BarGraph_spec.js b/tests/UI/specs/BarGraph_spec.js
index 6d1c63c66f..7ef3a562e5 100644
--- a/tests/UI/specs/BarGraph_spec.js
+++ b/tests/UI/specs/BarGraph_spec.js
@@ -10,8 +10,7 @@
 describe("BarGraph", function () {
     var tokenAuth = "c4ca4238a0b923820dcc509a6f75849b", // md5('superUserLogin' . md5('superUserPass'))
         url = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
-            + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&"
-            + "token_auth=" + tokenAuth;
+            + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&";
 
     before(function () {
         // use real auth + token auth to test that auth works when widgetizing reports in an iframe
@@ -19,8 +18,13 @@ describe("BarGraph", function () {
         testEnvironment.save();
     });
 
+    it("should fail when admin token is used", async function () {
+        await page.goto(url + 'token_auth=' + tokenAuth);
+        expect(await page.screenshot({ fullPage: true })).to.matchImage('load_fail_when_token_used');
+    });
+
     it("should load correctly", async function () {
-        await page.goto(url);
+        await page.goto(url + 'token_auth=a4ca4238a0b923820dcc509a6f75849f');
         expect(await page.screenshot({ fullPage: true })).to.matchImage('load');
     });
 
diff --git a/tests/UI/specs/Comparison_spec.js b/tests/UI/specs/Comparison_spec.js
index e31a48f5a6..43340c8ad1 100644
--- a/tests/UI/specs/Comparison_spec.js
+++ b/tests/UI/specs/Comparison_spec.js
@@ -17,10 +17,10 @@ describe("Comparison", function () {
         compareParams = comparePeriod + compareSegment,
         barGraphUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&"
-            + "token_auth=" + tokenAuth + compareParams,
+            + compareParams,
         pieGraphUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=graphPie&isFooterExpandedInDashboard=1&"
-            + "token_auth=" + tokenAuth + compareParams,
+            + compareParams,
         goalsTableUrl =  "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=tableGoals&filter_limit=5&isFooterExpandedInDashboard=1" + compareParams,
         htmlTableUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
diff --git a/tests/UI/specs/UIIntegration_spec.js b/tests/UI/specs/UIIntegration_spec.js
index 7b18b1a809..00f3f19e66 100644
--- a/tests/UI/specs/UIIntegration_spec.js
+++ b/tests/UI/specs/UIIntegration_spec.js
@@ -731,6 +731,12 @@ describe("UIIntegrationTest", function () { // TODO: Rename to Piwik?
     describe("AdminPages", function () {
         this.title = parentSuite.title; // to make sure the screenshot prefix is the same
 
+        it('should not be possible to render any action using token_auth with at least some admin access', async function () {
+            await page.goto("?" + generalParams + "&module=CoreAdminHome&action=home&token_auth=c4ca4238a0b923820dcc509a6f75849b");
+
+            expect(await page.screenshot({ fullPage: true })).to.matchImage('admin_home_admintoken_not_allowed');
+        });
+
         it('should load the Admin home page correct', async function () {
             await page.goto("?" + generalParams + "&module=CoreAdminHome&action=home");