| Age | Commit message (Collapse) | Author |
|---|
|
* Forbid unused use statements
* Fix some incorrect classnames
* fix tests
* remove unused use statements
|
|
* impose limit on notification message size when logging to notifications
* if in memory notification count exceeds max notification size in session, do not attempt to new ones it to the session
* Detect when session was too large to read and provide warning to user.
* add some tests for Notification\ManagerTest.php
* add tests for relevant DbTable members
* Change session data column type to allow larger session data values.
* update to rc3
* trigger new build?
* fix namespace
* fix test namespaces
* bump version correctly
|
|
* Compare token if value is 0
* when session is used always verify token
* also compare if a string is set
* update travis
Co-authored-by: sgiehl <stefan@matomo.org>
|
|
|
|
* update doc blocks with new name
* submodule updates
* updates expected UI files
|
|
* some initial work
* add security page
* backing up some code
* more functionality
* adjust more UI parts
* adjust more code
* more tweaks
* add todo note
* few tweaks
* make sure date is in right format
* fix not existing column
* few fixes
* available hashes
* use different hash algo so tests run on php 5
* fix name of aglorithm
* trying to fix some tests
* another try to fix some tests
* more fixes
* more fixes
* few fixes
* update template
* fix some tests
* fix test
* fixing some tests
* various test fixes
* more fixes
* few more tests
* more tests
* various tweaks
* add translations
* add some ui tests
* fix selector
* tweaks
* trying to fix some ui tests
* fallback to regular authentication if needed
* fix call authenticate on null
* fix user settings
* fix some tests
* few fixes
* fix more ui tests
* update schema
* Update plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js
Co-Authored-By: Stefan Giehl <stefan@matomo.org>
* fix maps are not showing data
* trying to fix some tests
* set correct token
* trying to fix tracking failure
* minor tweaks and fixes
* fix more tests
* fix screenshot test
* trigger event so brute force logic is executed
* test no fallback to actual authentication
* allow fallback
* apply review feedback
* fix some tests
* fix tests
* make sure location values from query params are limited properly before attempting a db insert
* make sure plugin uninstall migration reloads plugins, make sure 4.0.0-b1 migration removes unique index that is no longer used, use defaults extra file in SqlDump to get test to run on travis
* Fix UI tests.
* update expected screenshot
Co-authored-by: Stefan Giehl <stefan@matomo.org>
Co-authored-by: diosmosis <diosmosis@users.noreply.github.com>
|
|
* Updates search engine and social definitions (#15384)
* updates device detector to latest release (#15388)
* updates device detector to latest release
* updates tests
* translation update (#15389)
* Fix Could not get the lock for ID, when creating a site (#15401)
* Lock key start
* do not empty key lock
Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>
* 3.13.1
* submodule updates
* Use correct name in update available message (#15423)
* Fix removing user capabilities (#15422)
* Order of implode() args, avoid E_NOTICE in PHP7.4 (#15428)
* Fixes possible php warning in visitor log (#15442)
* silence is_executable call (#15446)
* Make sure geolocation admin experience is consistent if user is not using GeoIp2 plugin. (#15447)
* Fix referrers test. (#15448)
* Ensure to close visitor popover correctly (#15443)
* Fixes possible warning (#15453)
* Forward instance_id from local config when reseting config during tests. (#15445)
* Add event that allows plugins to disable archiving for certain periods/sites if they want. (#15457)
* Add event that allows plugins to disable archiving for certain periods/sites if they want.
* apply review feedback
* Fix possible warning for columns without index (#15467)
* Day range archiving issue (#15462)
* Improve lock ID check for max length (#15407)
Better patch for https://github.com/matomo-org/matomo/pull/15401 which was merged last minute...
This way it always works even when someone calls `acquireLock` directly instead of `execute`
Pushing this for now into 3.x-dev but can also put it into 4.x-dev directly but then there might be merge conflicts when merging 3.x-dev into 4.x-dev
* Use SameSite none for session token when embedded into iframe (#15439)
* Make sure tracking works in IE9 and lower (#15480)
* Mention Joomla install FAQ (#15481)
* Make sparklines work when mbstring extension is not installed (#15489)
1) Too few arguments to function mb_strtolower(), 1 passed in matomo/vendor/davaxi/sparkline/src/Sparkline/StyleTrait.php on line 129 and exactly 2 expected
2) mb_strlen is not defined
* update screenshots (#15488)
* 3.13.2-rc1
* Use safemode when running CLI commands (#15472)
* update icons submodule (#15490)
* update icons submodule
* update UI tests
* Fix possible undefined index notice (#15502)
* Use latest davaxi/sparkline release (#15464)
* translation update
* submodule updates
* Fix deprecation notice (#15530)
see https://github.com/matomo-org/matomo/pull/15467#issuecomment-583283444
* 3.13.2-rc2
* update cache component (#15536)
* fixes copy dashboard to user for more than 100 users (#15538)
cherry picking #15424 to fix #15420 in 3.x-dev
* Add missing return statement. (#15539)
* 3.13.2
* update tests
* update tests
Co-authored-by: Matthieu Aubry <mattab@users.noreply.github.com>
Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>
Co-authored-by: Peter Upfold <pgithub@upfold.org.uk>
Co-authored-by: diosmosis <diosmosis@users.noreply.github.com>
Co-authored-by: Lukas Winkler <github@lw1.at>
|
|
* Set SameSite=lax for session cookie
* Update warning text when Matomo is installed on HTTP
* urlencode all session cookie values
|
|
I updated the link tag for all php files with the new matomo link.
Not sure if it is realistic that this will get merged but I though that someday someone has to do this(?)
|
|
* Add INI config option and add tests.
* Detect expired sessions.
* Update config docs.
* Apply review feedback including storing expiration in session fingerprint.
* fixing tests.
* fix unit tests
* fix test
|
|
* Send all session cookie params when updating session expire time.
* Use login_cookie_path INI config to init the session cookie path.
|
|
(#13554)
* Update session cookie on each request if session was remembered.
* Fix unit test.
|
|
* Remove user-agent checking code in SessionAuth.
* Fixing test.
* Fixing couple more tests.
|
|
(#13279)
* Make sure Auth interface is always set even if session auth succeeds.
* Add failing test.
* Fix FrontControllerTest
* Put hash token authentication back since it is still in use in plugins.
|
|
|
|
* Modifying "cookie authentication" to be more secure.
Instead of authenticating by token auth if it exists in the cookie, validate an existing session. If the session
has the user name stored as a session var, it has been authenticated. If the request has the same IP address and
user agent as the request that created the session, the request is from the user that created the session. If
both of these are true, then the session is valid, and we don't need a token auth to authenticate.
If the session is deleted before the Piwik auth cookie expires (due to garbage collection), we attempt to
re-authenticate using a secure hash of the token auth. We don't do this on every request since password_verify()
will, at BEST, add 3.5ms to every request.
* Invalidate existing sessions after user password change.
Invalidation is accomplished w/o having to individually touch sessions by:
1. Using the password hash as the piwik_auth key secret, instead of the token auth. So when a password changes, existing piwik_auth keys are no longer valid. This affects session re-authentication.
2. Saving the session start time & the last time a user's password was modified, and checking that the session start time is always newer than the password modification time.
* Set session.gc_maxlifetime to login_cookie_expire time so session data does not disappear, remove session re-auth functionality & tie cookie hash to password modified time instead of password hash to retain automatic session invalidation on password change.
* In SessionInitializer, clear other cookie values so previously stored token auths will be removed.
* Make sure anonymous user is still default user whan authenticating.
* fixing test failures
* Remove hash checking in piwik_auth cookie.
piwik_auth cookie still required since it's presence indicates we should use SessionAuth instead of the normal authentication mechanism. Since there's always a session, even if you're not logged in, PIWIK_SESSID can't be used by itself to determine this.
* Make sure session auth doesnt break in edge case where ts_password_modified column does not exist.
* Clarify session destruction/invalidation logic in SessionAuth.
* Make UsersManagerTest slightly more comprehensive.
* Use Date::now()->getTimestampUTC() instead of time() in SessionFingerprint::initialize().
* Check getUser returns correct user info in SessionAuth for sanity.
* Add SessionInitializer::getAuthCookie() back since it is @api.
* Remove IP address from session auth info + check.
* Refactor session start changes so it is started in one place only.
* Remove SessionAuthCookieFactory & deprecate auth cookie INI config vars (still needed for SessionInitializer deprectaed method).
* Make sure user can still login if ts_password_modified column is not present in database.
* Rename ts_password_modified Update class.
* Update comment in SessionAuth to include why Piwik tries to create another session.
* Restore 3.x-dev SessionInitializer for BC (deprecated), move new SessionInitializer to core, add tests for both SessionInitializers.
* Change update to 3.5 version.
* Make sure normal auth implementation is used if sessionauth fails so anonymous user can be logged in.
* On logout clear session fingerprint so same session cannot be used to login.
* Change update name + bump version, and make sure Session::rememberMe() is called before session is started (otherwise it has no effect).
* Fixing tests.
* apply review fixes
* remove test
|
