Add new INI config [General] enable_framed_allow_write_admin_token_auth… (#16595)

* Add new INI config [General] enable_framed_allow_write_admin_token_auth to allow framed matomo use case to still function in Matomo 4.

* Link to faq in exception message.

* apply pr feedback and write integration tests (not passing)

* fix test

* fix test

* update screenshot

* fix more ui tests

* update exception message

* update some expected screenshots

* update screenshot

Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>

5 files changed, 189 insertions, 9 deletions

diff --git a/tests/PHPUnit/Integration/API/RequestTest.php b/tests/PHPUnit/Integration/API/RequestTest.php
index f698ed73ac..7b0755b79c 100644
--- a/tests/PHPUnit/Integration/API/RequestTest.php
+++ b/tests/PHPUnit/Integration/API/RequestTest.php
@@ -8,10 +8,14 @@
 
 namespace Piwik\Tests\Integration\API;
 
+use Piwik\Access;
 use Piwik\API\Request;
 use Piwik\AuthResult;
-use Piwik\Db;
+use Piwik\Common;
+use Piwik\Config;
+use Piwik\Tests\Framework\Fixture;
 use Piwik\Tests\Framework\TestCase\IntegrationTestCase;
+use ReflectionClass;
 
 /**
  * @group Core
@@ -25,6 +29,26 @@ class RequestTest extends IntegrationTestCase
 
     private $userAuthToken = 'token';
 
+    private $idSitesAccess = [];
+
+    public function setUp(): void
+    {
+        parent::setUp();
+        $this->idSitesAccess = [
+            'view'      => array(1),
+            'write'     => array(),
+            'admin'     => array(),
+            'superuser' => array(),
+        ];
+    }
+
+    protected static function beforeTableDataCached()
+    {
+        parent::beforeTableDataCached();
+
+        Fixture::createWebsite('2018-02-03 00:00:00');
+    }
+
     public function test_process_shouldNotReloadAccessIfNoTokenAuthIsGiven()
     {
         $this->assertAccessNotReloaded();
@@ -93,6 +117,152 @@ class RequestTest extends IntegrationTestCase
         $this->assertTrue(Request::isApiRequest(array('module' => 'API', 'method' => 'test.method')));
     }
 
+    public function test_checkTokenAuthIsNotLimited_allowsSuperUserTokenAuth_ifCurrentRequestIsForAPI()
+    {
+        $this->expectNotToPerformAssertions();
+
+        Common::$isCliMode = false;
+        $this->access->setSuperUserAccess(true);
+
+        Request::checkTokenAuthIsNotLimited('API', 'index');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_allowsSuperUserTokenAuth_ifCurrentlyInCliMode()
+    {
+        $this->expectNotToPerformAssertions();
+
+        Common::$isCliMode = true;
+        $this->access->setSuperUserAccess(true);
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_doesNotAllowSuperUserTokenAuth_ifCurrentlyInUiRequest()
+    {
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Widgetize_TooHighAccessLevel');
+
+        Common::$isCliMode = false;
+        $this->access->setSuperUserAccess(true);
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_doesNotAllowSuperUserTokenAuth_ifCurrentlyInUiRequestAndEnableConfigSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1;
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Widgetize_TooHighAccessLevel');
+
+        Common::$isCliMode = false;
+        $this->access->setSuperUserAccess(true);
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_doesNotAllowWriteTokenAuth_ifConfigNotSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 0;
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Widgetize_ViewAccessRequired');
+
+        $this->idSitesAccess['view'] = [];
+        $this->idSitesAccess['write'] = [1];
+        $this->access->reloadAccess($this->auth);
+        $this->access->setSuperUserAccess(false);
+        $this->assertFalse($this->access->hasSuperUserAccess());
+        $this->assertTrue($this->access->isUserHasSomeWriteAccess());
+
+        Common::$isCliMode = false;
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_doesNotAllowAdminTokenAuth_ifConfigNotSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 0;
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Widgetize_ViewAccessRequired');
+
+        $this->idSitesAccess['view'] = [];
+        $this->idSitesAccess['admin'] = [1];
+        $this->access->reloadAccess($this->auth);
+        $this->access->setSuperUserAccess(false);
+        $this->assertFalse($this->access->hasSuperUserAccess());
+        $this->assertTrue($this->access->isUserHasSomeAdminAccess());
+
+        Common::$isCliMode = false;
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_allowsWriteTokenAuth_ifConfigSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1;
+
+        $this->idSitesAccess['view'] = [];
+        $this->idSitesAccess['write'] = [1];
+        $this->access->reloadAccess($this->auth);
+        $this->access->setSuperUserAccess(false);
+        $this->assertFalse($this->access->hasSuperUserAccess());
+        $this->assertTrue($this->access->isUserHasSomeWriteAccess());
+
+        Common::$isCliMode = false;
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_allowsAdminTokenAuth_ifConfigSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1;
+
+        $this->idSitesAccess['view'] = [];
+        $this->idSitesAccess['admin'] = [1];
+        $this->access->reloadAccess($this->auth);
+        $this->access->setSuperUserAccess(false);
+        $this->assertFalse($this->access->hasSuperUserAccess());
+        $this->assertTrue($this->access->isUserHasSomeAdminAccess());
+
+        Common::$isCliMode = false;
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_allowsViewTokenAuth_ifConfigSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1;
+
+        $this->idSitesAccess['view'] = [1];
+        $this->access->reloadAccess($this->auth);
+        $this->access->setSuperUserAccess(false);
+        $this->assertFalse($this->access->hasSuperUserAccess());
+        $this->assertFalse($this->access->isUserHasSomeAdminAccess());
+        $this->assertFalse($this->access->isUserHasSomeWriteAccess());
+
+        Common::$isCliMode = false;
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
+    public function test_checkTokenAuthIsNotLimited_allowsViewTokenAuth_ifConfigNotSet()
+    {
+        Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 0;
+
+        $this->idSitesAccess['view'] = [1];
+        $this->access->reloadAccess($this->auth);
+        $this->access->setSuperUserAccess(false);
+        $this->assertFalse($this->access->hasSuperUserAccess());
+        $this->assertFalse($this->access->isUserHasSomeAdminAccess());
+        $this->assertFalse($this->access->isUserHasSomeWriteAccess());
+
+        Common::$isCliMode = false;
+
+        Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod');
+    }
+
     private function assertSameUserAsBeforeIsAuthenticated()
     {
         $this->assertEquals($this->userAuthToken, $this->access->getTokenAuth());
@@ -134,9 +304,19 @@ class RequestTest extends IntegrationTestCase
     private function createAccessMock($auth)
     {
         $mock = $this->getMockBuilder('Piwik\Access')
-                     ->setMethods(array('getTokenAuth', 'reloadAccess'))
+                     ->onlyMethods(array('loadSitesIfNeeded', 'reloadAccess', 'getTokenAuth'))
                      ->enableProxyingToOriginalMethods()
                      ->getMock();
+        $mock->method('loadSitesIfNeeded')->willReturnCallback(function () use ($mock) {
+            // setting the property directly since enableProxyingToOriginalMethods() will just proxy to the original
+            // method after this mock method is called. (we can't not call enableProxyingToOriginalMethods() because
+            // some tests require it)
+            $reflection = new ReflectionClass(Access::class);
+            $reflectionProperty = $reflection->getProperty('idsitesByAccess');
+            $reflectionProperty->setAccessible(true);
+
+            $reflectionProperty->setValue($mock, $this->idSitesAccess);
+        });
         $mock->reloadAccess($auth);
 
         return $mock;
diff --git a/tests/PHPUnit/Integration/FrontControllerTest.php b/tests/PHPUnit/Integration/FrontControllerTest.php
index 2d529786c1..d9074f2cc6 100644
--- a/tests/PHPUnit/Integration/FrontControllerTest.php
+++ b/tests/PHPUnit/Integration/FrontControllerTest.php
@@ -48,7 +48,7 @@ FORMAT;
         $this->assertEquals('error', $response['result']);
 
         $expectedFormat = <<<FORMAT
-test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(809): Piwik\EventDispatcher-&gt;postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(586): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(166): Piwik\FrontController-&gt;doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController-&gt;dispatch('CoreHome', 'index') #6 {main}
+test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(809): Piwik\EventDispatcher-&gt;postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(585): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(166): Piwik\FrontController-&gt;doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController-&gt;dispatch('CoreHome', 'index') #6 {main}
 FORMAT;
         $this->assertStringMatchesFormat($expectedFormat, $response['message']);
     }
diff --git a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
index 5b0a68c035..e4471dcaa2 100644
--- a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
+++ b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc
-size 48697
+oid sha256:6a239a77aaa6c89e33e32b90ffe877d041d259104d2579b0c4082a45f8b8bd67
+size 52480
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png
index f63097f640..84b60458c7 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:736673adf097edb8310e6a2842d5393ab384584da8dd8a824fea4fbf95fdce1c
-size 4459413
+oid sha256:683ff5d0c15c73d0b3375f1e0b2d0b77b514c6557bb9aabb45b69562da4f3c5c
+size 4499185
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
index 5b0a68c035..e4471dcaa2 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc
-size 48697
+oid sha256:6a239a77aaa6c89e33e32b90ffe877d041d259104d2579b0c4082a45f8b8bd67
+size 52480