diff options
24 files changed, 120 insertions, 33 deletions
diff --git a/core/API/Request.php b/core/API/Request.php index c43d1b5e8f..7850e91aaf 100644 --- a/core/API/Request.php +++ b/core/API/Request.php @@ -448,7 +448,39 @@ class Request SettingsServer::raiseMemoryLimitIfNecessary(); } - private static function shouldReloadAuthUsingTokenAuth($request) + /** + * Needs to be called AFTER the user has been authenticated using a token. + * + * @internal + * @ignore + * @param string $module + * @param string $action + * @return bool + * @throws Exception + */ + public static function isTokenAuthLimitedToViewAccess($module, $action) + { + if (($module !== 'API' || ($action && $action !== 'index')) + && Piwik::isUserHasSomeWriteAccess() + && !Common::isPhpCliMode()) { + // we allow UI authentication/ embedding widgets / reports etc only for users that have only view + // access. it's mostly there to get users to use auth tokens of view users when embedding reports + // token_auth is fine for API calls since they would be always authenticated later anyway + // token_auth is also fine in CLI mode as eg doAsSuperUser might be used etc + return true; + } + + return false; + } + + /** + * @internal + * @ignore + * @param $request + * @return bool + * @throws Exception + */ + public static function shouldReloadAuthUsingTokenAuth($request) { if (is_null($request)) { $request = self::getDefaultRequest(); diff --git a/core/FrontController.php b/core/FrontController.php index 00b032833e..187829ac15 100644 --- a/core/FrontController.php +++ b/core/FrontController.php @@ -408,9 +408,14 @@ class FrontController extends Singleton // Force the auth to use the token_auth if specified, so that embed dashboard // and all other non widgetized controller methods works fine - if (Common::getRequestVar('token_auth', false, 'string') !== false) { + if (Common::getRequestVar('token_auth', '', 'string') !== '' + && Request::shouldReloadAuthUsingTokenAuth(null)) { Request::reloadAuthUsingTokenAuth(); + if (Request::isTokenAuthLimitedToViewAccess($module, $action)) { + throw new \Exception(Piwik::translate('Widgetize_ViewAccessRequired')); + } } + SettingsServer::raiseMemoryLimitIfNecessary(); \Piwik\Plugin\Manager::getInstance()->postLoadPlugins(); diff --git a/core/Session/SessionAuth.php b/core/Session/SessionAuth.php index bad3c29122..2ee3eaaef7 100644 --- a/core/Session/SessionAuth.php +++ b/core/Session/SessionAuth.php @@ -64,7 +64,9 @@ class SessionAuth implements Auth public function getLogin() { - return $this->user['login']; + if (isset($this->user['login'])) { + return $this->user['login']; + } } public function getTokenAuthSecret() diff --git a/plugins/Dashboard/tests/UI/Dashboard_spec.js b/plugins/Dashboard/tests/UI/Dashboard_spec.js index 1a59213095..8d9eff418c 100644 --- a/plugins/Dashboard/tests/UI/Dashboard_spec.js +++ b/plugins/Dashboard/tests/UI/Dashboard_spec.js @@ -303,7 +303,7 @@ describe("Dashboard", function () { testEnvironment.testUseMockAuth = 0; testEnvironment.save(); - var tokenAuth = "c4ca4238a0b923820dcc509a6f75849b"; + var tokenAuth = "a4ca4238a0b923820dcc509a6f75849f"; await page.goto(url.replace("idDashboard=5", "idDashboard=1") + '&token_auth=' + tokenAuth); expect(await page.screenshot({ fullPage: true })).to.matchImage('loaded_token_auth'); diff --git a/plugins/Dashboard/tests/UI/expected-screenshots/DashboardManager_removed.png b/plugins/Dashboard/tests/UI/expected-screenshots/DashboardManager_removed.png index daab262d4e..f352da529a 100644 --- a/plugins/Dashboard/tests/UI/expected-screenshots/DashboardManager_removed.png +++ b/plugins/Dashboard/tests/UI/expected-screenshots/DashboardManager_removed.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:621de39230f85c9df20abfbea59ef7f4fa27588cbc39fd036c7fe6dafbd2ff0b -size 472796 +oid sha256:9a542bf726e1ba28102e30719d2761584becc47b36d244042633f5379a89f7ef +size 472762 diff --git a/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_loaded_token_auth.png b/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_loaded_token_auth.png index a0568efcc3..4c87040511 100644 --- a/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_loaded_token_auth.png +++ b/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_loaded_token_auth.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e98260a649dfa43fa3e44901179dfc9cbe728d6cf2a2fe145b55f62d75d14b89 -size 732859 +oid sha256:8d00c8d77ae5b440a6af7e8af9683db3a50a73dc629d2026109049c0dcd627b6 +size 19841 diff --git a/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_removed.png b/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_removed.png index a0568efcc3..d310aadbdc 100644 --- a/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_removed.png +++ b/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_removed.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e98260a649dfa43fa3e44901179dfc9cbe728d6cf2a2fe145b55f62d75d14b89 -size 732859 +oid sha256:4bf08ddd651f96d20f4dbf7db1cba26069133afccc147b7bc498a537b4e0f770 +size 732787 diff --git a/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_reset.png b/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_reset.png index caef4ebc76..b345c9da95 100644 --- a/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_reset.png +++ b/plugins/Dashboard/tests/UI/expected-screenshots/Dashboard_reset.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7beaee5cdddad7209123b675e03f7001c21cdbf924f7d22de0c7d5309bc4ed53 -size 375616 +oid sha256:50218e70c2d759e98b6000ad47e88efbdc79e7e8d6f0ba607ae3229c709c2733 +size 374928 diff --git a/plugins/Widgetize/Controller.php b/plugins/Widgetize/Controller.php index d0ef5187c8..e76d8b7e5f 100644 --- a/plugins/Widgetize/Controller.php +++ b/plugins/Widgetize/Controller.php @@ -34,8 +34,7 @@ class Controller extends \Piwik\Plugin\Controller $token_auth = Common::getRequestVar('token_auth', '', 'string'); if ($token_auth !== '' - && Access::getInstance()->isUserHasSomeAdminAccess() - && !defined('PIWIK_TEST_MODE')) { + && Access::getInstance()->isUserHasSomeWriteAccess()) { throw new \Exception(Piwik::translate('Widgetize_ViewAccessRequired')); } diff --git a/tests/PHPUnit/Fixtures/UITestFixture.php b/tests/PHPUnit/Fixtures/UITestFixture.php index 7ea86b7569..567b106921 100644 --- a/tests/PHPUnit/Fixtures/UITestFixture.php +++ b/tests/PHPUnit/Fixtures/UITestFixture.php @@ -127,6 +127,19 @@ class UITestFixture extends SqlDump ); $this->addDangerousLinks(); + + $model = new \Piwik\Plugins\UsersManager\Model(); + $user = $model->getUser(self::VIEW_USER_LOGIN); + + if (empty($user)) { + $model->addUser(self::VIEW_USER_LOGIN, self::VIEW_USER_PASSWORD, 'hello2@example.org', Date::now()->getDatetime()); + $model->addUserAccess(self::VIEW_USER_LOGIN, 'view', array(1)); + } else { + $model->updateUser(self::VIEW_USER_LOGIN, self::VIEW_USER_PASSWORD, 'hello2@example.org'); + } + if (!$model->getUserByTokenAuth(self::VIEW_USER_TOKEN)) { + $model->addTokenAuth(self::VIEW_USER_LOGIN,self::VIEW_USER_TOKEN, 'View user token', Date::now()->getDatetime()); + } } public function performSetUp($setupEnvironmentOnly = false) diff --git a/tests/PHPUnit/Framework/Fixture.php b/tests/PHPUnit/Framework/Fixture.php index 2a7cadaf95..97258b3550 100644 --- a/tests/PHPUnit/Framework/Fixture.php +++ b/tests/PHPUnit/Framework/Fixture.php @@ -83,6 +83,10 @@ class Fixture extends \PHPUnit\Framework\Assert const ADMIN_USER_PASSWORD = 'superUserPass'; const ADMIN_USER_TOKEN = 'c4ca4238a0b923820dcc509a6f75849b'; + const VIEW_USER_LOGIN = 'viewUserLogin'; + const VIEW_USER_PASSWORD = 'viewUserPass'; + const VIEW_USER_TOKEN = 'a4ca4238a0b923820dcc509a6f75849f'; + const PERSIST_FIXTURE_DATA_ENV = 'PERSIST_FIXTURE_DATA'; public $dbName = false; diff --git a/tests/PHPUnit/Integration/FrontControllerTest.php b/tests/PHPUnit/Integration/FrontControllerTest.php index 8699da62ea..8a4945dec5 100644 --- a/tests/PHPUnit/Integration/FrontControllerTest.php +++ b/tests/PHPUnit/Integration/FrontControllerTest.php @@ -48,7 +48,7 @@ FORMAT; $this->assertEquals('error', $response['result']); $expectedFormat = <<<FORMAT -test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(802): Piwik\EventDispatcher->postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(569): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(165): Piwik\FrontController->doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController->dispatch('CoreHome', 'index') #6 {main} +test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(802): Piwik\EventDispatcher->postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(574): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(165): Piwik\FrontController->doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController->dispatch('CoreHome', 'index') #6 {main} FORMAT; $this->assertStringMatchesFormat($expectedFormat, $response['message']); } diff --git a/tests/PHPUnit/System/CookieTest.php b/tests/PHPUnit/System/CookieTest.php index 0c5d709a5b..bd32beea96 100644 --- a/tests/PHPUnit/System/CookieTest.php +++ b/tests/PHPUnit/System/CookieTest.php @@ -8,9 +8,11 @@ */ namespace Piwik\Tests\System; +use Piwik\Access; use Piwik\Config; use Piwik\SettingsPiwik; use Piwik\Tests\Framework\Fixture; +use Piwik\Tests\Framework\Mock\FakeAccess; use Piwik\Tests\Framework\TestCase\SystemTestCase; class CookieTest extends SystemTestCase @@ -83,7 +85,6 @@ class CookieTest extends SystemTestCase 'period' => 'day', 'date' => 'yesterday', 'ignoreSalt' => md5(SettingsPiwik::getSalt()), - 'token_auth' => $tokenAuth ); $url = $matomoUrl . 'index.php?' . http_build_query($params); @@ -105,4 +106,19 @@ class CookieTest extends SystemTestCase { self::assertStringContainsString('SameSite=' . $expectedSameSite, $cookieHeader); } + + /** + * Use this method to return custom container configuration that you want to apply for the tests. + * This configuration will override Fixture config. + * + * @return array + */ + public static function provideContainerConfigBeforeClass() + { + $fakeAccess = new FakeAccess(); + $fakeAccess->setSuperUserAccess(true); + return [ + Access::class => $fakeAccess + ]; + } }
\ No newline at end of file diff --git a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png new file mode 100644 index 0000000000..5b0a68c035 --- /dev/null +++ b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc +size 48697 diff --git a/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png b/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png index 1fea0f9c9f..9b089b4875 100644 --- a/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png +++ b/tests/UI/expected-screenshots/EmptySite_emptySiteDashboard_ignored.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3cb89b82fc84803436dfceb89ff0fe2fc27c39f73e7a0932cdc38335c220b380 -size 366894 +oid sha256:c870b64bea3a0233c602e70e2cd7b4da5820182d08056fe85965444d6cd524a5 +size 366822 diff --git a/tests/UI/expected-screenshots/Theme_home.png b/tests/UI/expected-screenshots/Theme_home.png index ad1ca26680..059f6d3e6a 100644 --- a/tests/UI/expected-screenshots/Theme_home.png +++ b/tests/UI/expected-screenshots/Theme_home.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5e843176745f9b331cda7744342745c52d231162970bb2a546bfd19401c72fbc -size 728484 +oid sha256:ba8159f75e3c61863df48e676d21ff8522160fa22649d0fa3c2eedbe2a5d9353 +size 728419 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png index 1c1e01bff8..f6ff75bd8a 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c4ee6d92d654a5855ba2d4ff82d66ea8f7d8eb31760c25701256ac9009c2fbad -size 149517 +oid sha256:e120afc0acdc1a94cb2493d2713a3d936f92f85b92f048b45e5be1373a1a0a7a +size 149461 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png new file mode 100644 index 0000000000..5b0a68c035 --- /dev/null +++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc +size 48697 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png index a7cef66fa1..fae1adeac8 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_themes.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8475ddc200fafc929289c5a0791cdc715eb64ee3cd04d6c08f0a702259169088 -size 79115 +oid sha256:840c3fbca67d466ec8079b402da4ef5f7f74286fc8e6978e5a09248d6196d068 +size 79078 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png b/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png index 1c1e01bff8..f6ff75bd8a 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_api_error.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c4ee6d92d654a5855ba2d4ff82d66ea8f7d8eb31760c25701256ac9009c2fbad -size 149517 +oid sha256:e120afc0acdc1a94cb2493d2713a3d936f92f85b92f048b45e5be1373a1a0a7a +size 149461 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png b/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png index 758e4fd08c..0151f336e5 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_dashboard1.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1802cb493b280d29cd404c8ef7bb38d5c76a149a4977531f890a5532151bb006 -size 652951 +oid sha256:dcef79816dcd6b1fedda86f25f2cbb2ec85b0101568cc3b6bf5e717e980aa89a +size 652880 diff --git a/tests/UI/specs/BarGraph_spec.js b/tests/UI/specs/BarGraph_spec.js index 6d1c63c66f..7ef3a562e5 100644 --- a/tests/UI/specs/BarGraph_spec.js +++ b/tests/UI/specs/BarGraph_spec.js @@ -10,8 +10,7 @@ describe("BarGraph", function () { var tokenAuth = "c4ca4238a0b923820dcc509a6f75849b", // md5('superUserLogin' . md5('superUserPass')) url = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&" - + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&" - + "token_auth=" + tokenAuth; + + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&"; before(function () { // use real auth + token auth to test that auth works when widgetizing reports in an iframe @@ -19,8 +18,13 @@ describe("BarGraph", function () { testEnvironment.save(); }); + it("should fail when admin token is used", async function () { + await page.goto(url + 'token_auth=' + tokenAuth); + expect(await page.screenshot({ fullPage: true })).to.matchImage('load_fail_when_token_used'); + }); + it("should load correctly", async function () { - await page.goto(url); + await page.goto(url + 'token_auth=a4ca4238a0b923820dcc509a6f75849f'); expect(await page.screenshot({ fullPage: true })).to.matchImage('load'); }); diff --git a/tests/UI/specs/Comparison_spec.js b/tests/UI/specs/Comparison_spec.js index e31a48f5a6..43340c8ad1 100644 --- a/tests/UI/specs/Comparison_spec.js +++ b/tests/UI/specs/Comparison_spec.js @@ -17,10 +17,10 @@ describe("Comparison", function () { compareParams = comparePeriod + compareSegment, barGraphUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&" + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&" - + "token_auth=" + tokenAuth + compareParams, + + compareParams, pieGraphUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&" + "actionToWidgetize=getKeywords&viewDataTable=graphPie&isFooterExpandedInDashboard=1&" - + "token_auth=" + tokenAuth + compareParams, + + compareParams, goalsTableUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&" + "actionToWidgetize=getKeywords&viewDataTable=tableGoals&filter_limit=5&isFooterExpandedInDashboard=1" + compareParams, htmlTableUrl = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&" diff --git a/tests/UI/specs/UIIntegration_spec.js b/tests/UI/specs/UIIntegration_spec.js index 7b18b1a809..00f3f19e66 100644 --- a/tests/UI/specs/UIIntegration_spec.js +++ b/tests/UI/specs/UIIntegration_spec.js @@ -731,6 +731,12 @@ describe("UIIntegrationTest", function () { // TODO: Rename to Piwik? describe("AdminPages", function () { this.title = parentSuite.title; // to make sure the screenshot prefix is the same + it('should not be possible to render any action using token_auth with at least some admin access', async function () { + await page.goto("?" + generalParams + "&module=CoreAdminHome&action=home&token_auth=c4ca4238a0b923820dcc509a6f75849b"); + + expect(await page.screenshot({ fullPage: true })).to.matchImage('admin_home_admintoken_not_allowed'); + }); + it('should load the Admin home page correct', async function () { await page.goto("?" + generalParams + "&module=CoreAdminHome&action=home"); |
