diff options
| -rw-r--r-- | core/View.php | 15 | ||||
| -rw-r--r-- | plugins/Annotations/javascripts/annotations.js | 1 | ||||
| -rw-r--r-- | plugins/CoreHome/angularjs/common/services/piwik-api.js | 2 | ||||
| -rw-r--r-- | plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js | 5 | ||||
| -rw-r--r-- | plugins/CoreHome/javascripts/broadcast.js | 1 | ||||
| -rw-r--r-- | plugins/CoreHome/javascripts/dataTable_rowactions.js | 1 | ||||
| -rw-r--r-- | plugins/Live/javascripts/SegmentedVisitorLog.js | 1 | ||||
| -rw-r--r-- | plugins/Live/javascripts/visitorProfile.js | 5 | ||||
| -rw-r--r-- | plugins/Overlay/javascripts/Overlay_Helper.js | 5 | ||||
| -rw-r--r-- | plugins/Overlay/javascripts/Piwik_Overlay.js | 1 | ||||
| -rw-r--r-- | plugins/Overlay/templates/index.twig | 5 | ||||
| -rw-r--r-- | plugins/Overlay/templates/index_noframe.twig | 5 |
12 files changed, 39 insertions, 8 deletions
diff --git a/core/View.php b/core/View.php index ee9b8fd345..36596e9997 100644 --- a/core/View.php +++ b/core/View.php @@ -11,6 +11,7 @@ namespace Piwik; use Exception; use Piwik\AssetManager\UIAssetCacheBuster; use Piwik\Container\StaticContainer; +use Piwik\Session\SessionAuth; use Piwik\View\ViewInterface; use Piwik\View\SecurityPolicy; use Twig\Environment; @@ -465,7 +466,19 @@ class View implements ViewInterface private function shouldPropagateTokenAuthInAjaxRequests() { $generalConfig = Config::getInstance()->General; - return Common::getRequestVar('module', false) == 'Widgetize' || $generalConfig['enable_framed_pages'] == '1'; + return Common::getRequestVar('module', false) == 'Widgetize' || + $generalConfig['enable_framed_pages'] == '1' || + $this->validTokenAuthInUrl(); + } + + /** + * @return bool + * @throws Exception + */ + private function validTokenAuthInUrl() + { + $tokenAuth = Common::getRequestVar('token_auth', '', 'string', $_GET); + return ($tokenAuth && $tokenAuth === Piwik::getCurrentUserTokenAuth()); } /** diff --git a/plugins/Annotations/javascripts/annotations.js b/plugins/Annotations/javascripts/annotations.js index f833045740..2a19f81ed5 100644 --- a/plugins/Annotations/javascripts/annotations.js +++ b/plugins/Annotations/javascripts/annotations.js @@ -112,6 +112,7 @@ var ajaxRequest = new ajaxHelper(); ajaxRequest.addParams(ajaxParams, 'get'); + ajaxRequest.withTokenInUrl(); ajaxRequest.setFormat('html'); ajaxRequest.setCallback(callback); ajaxRequest.send(); diff --git a/plugins/CoreHome/angularjs/common/services/piwik-api.js b/plugins/CoreHome/angularjs/common/services/piwik-api.js index 53edc3f292..b9a8a9fb2f 100644 --- a/plugins/CoreHome/angularjs/common/services/piwik-api.js +++ b/plugins/CoreHome/angularjs/common/services/piwik-api.js @@ -338,7 +338,7 @@ var hasBlockedContent = false; } return { - withTokenInUrl: withTokenInUrl, + withTokenInUrl: withTokenInUrl, // technically should probably be called withTokenInPost bulkFetch: bulkFetch, post: post, fetch: fetch, diff --git a/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js b/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js index b1c0c3a11d..4614f01bbf 100644 --- a/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js +++ b/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js @@ -114,7 +114,10 @@ } if (piwik.shouldPropagateTokenAuth && broadcast.getValueFromUrl('token_auth')) { - url += '&force_api_session=1&token_auth=' + broadcast.getValueFromUrl('token_auth'); + if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) { + url += '&force_api_session=1'; + } + url += '&token_auth=' + encodeURIComponent(broadcast.getValueFromUrl('token_auth')); } url += '&random=' + parseInt(Math.random() * 10000); diff --git a/plugins/CoreHome/javascripts/broadcast.js b/plugins/CoreHome/javascripts/broadcast.js index badabd0811..7fc0b848d5 100644 --- a/plugins/CoreHome/javascripts/broadcast.js +++ b/plugins/CoreHome/javascripts/broadcast.js @@ -176,7 +176,6 @@ var broadcast = { } } }, - isWidgetizedDashboard: function() { return broadcast.getValueFromUrl('module') == 'Widgetize' && broadcast.getValueFromUrl('moduleToWidgetize') == 'Dashboard'; }, diff --git a/plugins/CoreHome/javascripts/dataTable_rowactions.js b/plugins/CoreHome/javascripts/dataTable_rowactions.js index 3481e28b7b..5283944e32 100644 --- a/plugins/CoreHome/javascripts/dataTable_rowactions.js +++ b/plugins/CoreHome/javascripts/dataTable_rowactions.js @@ -474,6 +474,7 @@ DataTable_RowActions_RowEvolution.prototype.showRowEvolution = function (apiMeth var ajaxRequest = new ajaxHelper(); ajaxRequest.addParams(requestParams, 'get'); + ajaxRequest.withTokenInUrl(); ajaxRequest.setCallback(callback); ajaxRequest.setFormat('html'); ajaxRequest.send(); diff --git a/plugins/Live/javascripts/SegmentedVisitorLog.js b/plugins/Live/javascripts/SegmentedVisitorLog.js index 48bbb289cf..65d0121edc 100644 --- a/plugins/Live/javascripts/SegmentedVisitorLog.js +++ b/plugins/Live/javascripts/SegmentedVisitorLog.js @@ -135,6 +135,7 @@ var SegmentedVisitorLog = function() { var ajaxRequest = new ajaxHelper(); ajaxRequest.addParams(requestParams, 'get'); + ajaxRequest.withTokenInUrl(); ajaxRequest.setCallback(callback); ajaxRequest.setFormat('html'); ajaxRequest.send(); diff --git a/plugins/Live/javascripts/visitorProfile.js b/plugins/Live/javascripts/visitorProfile.js index 2fdf092dfb..6f743221d4 100644 --- a/plugins/Live/javascripts/visitorProfile.js +++ b/plugins/Live/javascripts/visitorProfile.js @@ -156,7 +156,10 @@ $element.on('mousedown', '.visitor-profile-export', function (e) { var url = $(this).attr('href'); if (url.indexOf('&token_auth=') == -1) { - $(this).attr('href', url + '&force_api_session=1&token_auth=' + piwik.token_auth); + if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) { + url += '&force_api_session=1'; + } + $(this).attr('href', url + '&token_auth=' + piwik.token_auth); } }); diff --git a/plugins/Overlay/javascripts/Overlay_Helper.js b/plugins/Overlay/javascripts/Overlay_Helper.js index 6e843df816..d095768908 100644 --- a/plugins/Overlay/javascripts/Overlay_Helper.js +++ b/plugins/Overlay/javascripts/Overlay_Helper.js @@ -29,7 +29,10 @@ var Overlay_Helper = { var token_auth = piwik.broadcast.getValueFromUrl("token_auth"); if (token_auth.length && piwik.shouldPropagateTokenAuth) { - url += '&force_api_session=1&token_auth=' + encodeURIComponent(token_auth); + if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) { + url += '&force_api_session=1'; + } + url += '&token_auth=' + encodeURIComponent(token_auth); } if (link) { diff --git a/plugins/Overlay/javascripts/Piwik_Overlay.js b/plugins/Overlay/javascripts/Piwik_Overlay.js index 49e5c95401..f33382fceb 100644 --- a/plugins/Overlay/javascripts/Piwik_Overlay.js +++ b/plugins/Overlay/javascripts/Piwik_Overlay.js @@ -50,6 +50,7 @@ var Piwik_Overlay = (function () { globalAjaxQueue.abort(); var ajaxRequest = new ajaxHelper(); ajaxRequest.addParams(params, 'get'); + ajaxRequest.withTokenInUrl(); // needed because it is calling a controller and not the API ajaxRequest.setCallback( function (response) { hideLoading(); diff --git a/plugins/Overlay/templates/index.twig b/plugins/Overlay/templates/index.twig index e4a4c77441..a618224ce5 100644 --- a/plugins/Overlay/templates/index.twig +++ b/plugins/Overlay/templates/index.twig @@ -73,7 +73,10 @@ var iframeSrc = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ rawDate }}&segment={{ segment }}'; if (piwik.shouldPropagateTokenAuth) { - iframeSrc += '&force_api_session=1&token_auth=' + piwik.token_auth; + if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) { + iframeSrc += '&force_api_session=1'; + } + iframeSrc += '&token_auth=' + piwik.token_auth; } Piwik_Overlay.init(iframeSrc, '{{ idSite }}', '{{ period }}', '{{ rawDate }}', '{{ segment }}'); diff --git a/plugins/Overlay/templates/index_noframe.twig b/plugins/Overlay/templates/index_noframe.twig index c3f32be6b6..2c8f63dc75 100644 --- a/plugins/Overlay/templates/index_noframe.twig +++ b/plugins/Overlay/templates/index_noframe.twig @@ -8,7 +8,10 @@ <script type="text/javascript"> var newLocation = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ date }}&segment={{ segment }}'; if (piwik.shouldPropagateTokenAuth) { - newLocation += '&force_api_session=1&token_auth=' + piwik.token_auth; + if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) { + newLocation += '&force_api_session=1'; + } + newLocation += '&token_auth=' + piwik.token_auth; } var locationParts = window.location.href.split('#'); |