diff options
-rw-r--r-- | config/global.ini.php | 4 | ||||
-rw-r--r-- | core/Controller.php | 31 | ||||
-rw-r--r-- | plugins/CoreAdminHome/Controller.php | 2 | ||||
-rw-r--r-- | plugins/CoreAdminHome/templates/header.tpl | 17 | ||||
-rw-r--r-- | plugins/CorePluginsAdmin/Controller.php | 2 | ||||
-rw-r--r-- | plugins/DBStats/Controller.php | 2 | ||||
-rw-r--r-- | plugins/Login/Controller.php | 10 | ||||
-rw-r--r-- | plugins/Login/templates/header.tpl | 4 | ||||
-rw-r--r-- | plugins/SecurityInfo/Controller.php | 2 | ||||
-rw-r--r-- | plugins/SitesManager/Controller.php | 2 | ||||
-rw-r--r-- | plugins/UsersManager/Controller.php | 3 | ||||
-rw-r--r-- | plugins/VisitorGenerator/Controller.php | 3 |
12 files changed, 62 insertions, 20 deletions
diff --git a/config/global.ini.php b/config/global.ini.php index 025e265787..56ec7e1194 100644 --- a/config/global.ini.php +++ b/config/global.ini.php @@ -173,6 +173,10 @@ login_password_recovery_email_name = Piwik ; Default is 0 (i.e., bust frames on the Login forms). enable_framed_logins = 0 +; Set to 1 to disable the framebuster (a click-jacking countermeasure). +; Default is 0 (i.e., bust frames on the Settings forms). +enable_framed_settings = 0 + ; language cookie name for session language_cookie_name = piwik_lang diff --git a/core/Controller.php b/core/Controller.php index 9c456f267f..8dceafca59 100644 --- a/core/Controller.php +++ b/core/Controller.php @@ -364,17 +364,14 @@ abstract class Piwik_Controller } /** - * Will only set the minimal variables in the view object - * Used by Admin screens + * Set the minimal variables in the view object * * @param Piwik_View $view */ protected function setBasicVariablesView($view) { $view->topMenu = Piwik_GetTopMenu(); - $view->currentAdminMenuName = Piwik_GetCurrentAdminMenuName(); $view->debugTrackVisitsInsidePiwikUI = Zend_Registry::get('config')->Debug->track_visits_inside_piwik_ui; - $view->isSuperUser = Zend_Registry::get('access')->isSuperUser(); } @@ -562,3 +559,29 @@ abstract class Piwik_Controller } } } + +/** + * Parent class of all plugins Controllers with admin functions + * + * @package Piwik + */ +abstract class Piwik_Controller_Admin +{ + /** + * Used by Admin screens + * + * @param Piwik_View $view + */ + protected function setBasicVariablesView($view) + { + parent::setBasicVariablesView($view); + + $view->currentAdminMenuName = Piwik_GetCurrentAdminMenuName(); + + $view->enableFrames = Zend_Registry::get('config')->General->enable_framed_settings; + if(!$view->enableFrames) + { + $view->setXFrameOptions('sameorigin'); + } + } +} diff --git a/plugins/CoreAdminHome/Controller.php b/plugins/CoreAdminHome/Controller.php index 1dbbae3c33..6c7f245c2c 100644 --- a/plugins/CoreAdminHome/Controller.php +++ b/plugins/CoreAdminHome/Controller.php @@ -14,7 +14,7 @@ * * @package Piwik_CoreAdminHome */ -class Piwik_CoreAdminHome_Controller extends Piwik_Controller +class Piwik_CoreAdminHome_Controller extends Piwik_Controller_Admin { public function index() { diff --git a/plugins/CoreAdminHome/templates/header.tpl b/plugins/CoreAdminHome/templates/header.tpl index fd66580d4f..fe95a5cfb1 100644 --- a/plugins/CoreAdminHome/templates/header.tpl +++ b/plugins/CoreAdminHome/templates/header.tpl @@ -14,8 +14,25 @@ <!--[if IE]> <link rel="stylesheet" type="text/css" href="themes/default/ieonly.css" /> <![endif]--> +{if isset($enableFrames) && !$enableFrames} +{literal} + <style>body { display : none; }</style> +{/literal} +{/if} </head> <body> +{if isset($enableFrames) && !$enableFrames} +{literal} + <script type="text/javascript"> + if(self == top) { + var theBody = document.getElementsByTagName('body')[0]; + theBody.style.display = 'block'; + } else { + top.location = self.location; + } + </script> +{/literal} +{/if} <div id="root"> {if !isset($showTopMenu) || $showTopMenu} {include file="CoreHome/templates/top_bar.tpl"} diff --git a/plugins/CorePluginsAdmin/Controller.php b/plugins/CorePluginsAdmin/Controller.php index f0dd4344e3..3d5accf8a9 100644 --- a/plugins/CorePluginsAdmin/Controller.php +++ b/plugins/CorePluginsAdmin/Controller.php @@ -14,7 +14,7 @@ * * @package Piwik_CorePluginsAdmin */ -class Piwik_CorePluginsAdmin_Controller extends Piwik_Controller +class Piwik_CorePluginsAdmin_Controller extends Piwik_Controller_Admin { function index() { diff --git a/plugins/DBStats/Controller.php b/plugins/DBStats/Controller.php index 9dea86426f..8feeb6e6a5 100644 --- a/plugins/DBStats/Controller.php +++ b/plugins/DBStats/Controller.php @@ -14,7 +14,7 @@ * * @package Piwik_DBStats */ -class Piwik_DBStats_Controller extends Piwik_Controller +class Piwik_DBStats_Controller extends Piwik_Controller_Admin { function index() { diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index 8bb3b968c3..e8870dbae6 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -77,13 +77,14 @@ class Piwik_Login_Controller extends Piwik_Controller { $view->linkTitle = Piwik::getRandomTitle(); - $enableFramedLogins = Zend_Registry::get('config')->General->enable_framed_logins; - $view->enableFramedLogins = $enableFramedLogins; - if(!$enableFramedLogins) + $view->enableFrames = Zend_Registry::get('config')->General->enable_framed_logins; + if(!$view->enableFrames) { $view->setXFrameOptions('sameorigin'); } + $view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login; + // crsf token: don't trust the submitted value; generate/fetch it from session data $view->nonce = Piwik_Nonce::getNonce('Piwik_Login.login'); } @@ -232,7 +233,6 @@ class Piwik_Login_Controller extends Piwik_Controller } $this->configureView($view); echo $view->render(); - exit; } @@ -317,9 +317,7 @@ class Piwik_Login_Controller extends Piwik_Controller } $this->configureView($view); - echo $view->render(); - exit; } diff --git a/plugins/Login/templates/header.tpl b/plugins/Login/templates/header.tpl index e7e69f97b1..b292613fbd 100644 --- a/plugins/Login/templates/header.tpl +++ b/plugins/Login/templates/header.tpl @@ -8,7 +8,7 @@ <link rel="stylesheet" type="text/css" href="plugins/Login/templates/login.css" /> <meta name="description" content="{'General_OpenSourceWebAnalytics'|translate|escape}" /> -{if isset($enableFramedLogins) && !$enableFramedLogins} +{if isset($enableFrames) && !$enableFrames} {literal} <style>body { display : none; }</style> {/literal} @@ -42,7 +42,7 @@ {/if} </head> <body class="login"> -{if isset($enableFramedLogins) && !$enableFramedLogins} +{if isset($enableFrames) && !$enableFrames} {literal} <script type="text/javascript"> if(self == top) { diff --git a/plugins/SecurityInfo/Controller.php b/plugins/SecurityInfo/Controller.php index 70bb5878fc..a3332a551d 100644 --- a/plugins/SecurityInfo/Controller.php +++ b/plugins/SecurityInfo/Controller.php @@ -13,7 +13,7 @@ /** * @package Piwik_SecurityInfo */ -class Piwik_SecurityInfo_Controller extends Piwik_Controller +class Piwik_SecurityInfo_Controller extends Piwik_Controller_Admin { function index() { diff --git a/plugins/SitesManager/Controller.php b/plugins/SitesManager/Controller.php index c93d09db66..ae98b1f66b 100644 --- a/plugins/SitesManager/Controller.php +++ b/plugins/SitesManager/Controller.php @@ -14,7 +14,7 @@ * * @package Piwik_SitesManager */ -class Piwik_SitesManager_Controller extends Piwik_Controller +class Piwik_SitesManager_Controller extends Piwik_Controller_Admin { /* * Main view showing listing of websites and settings diff --git a/plugins/UsersManager/Controller.php b/plugins/UsersManager/Controller.php index b5f608b296..e6de17fd81 100644 --- a/plugins/UsersManager/Controller.php +++ b/plugins/UsersManager/Controller.php @@ -10,12 +10,11 @@ * @package Piwik_UsersManager */ - /** * * @package Piwik_UsersManager */ -class Piwik_UsersManager_Controller extends Piwik_Controller +class Piwik_UsersManager_Controller extends Piwik_Controller_Admin { /** * The "Manage Users and Permissions" Admin UI screen diff --git a/plugins/VisitorGenerator/Controller.php b/plugins/VisitorGenerator/Controller.php index 34373a972b..6253e413d7 100644 --- a/plugins/VisitorGenerator/Controller.php +++ b/plugins/VisitorGenerator/Controller.php @@ -14,7 +14,8 @@ * * @package Piwik_VisitorGenerator */ -class Piwik_VisitorGenerator_Controller extends Piwik_Controller { +class Piwik_VisitorGenerator_Controller extends Piwik_Controller_Admin +{ public function index() { Piwik::checkUserIsSuperUser(); |