Age | Commit message (Collapse) | Author |
|
|
|
for form_rememberme. (#13333)
|
|
|
|
|
|
(#13279)
* Make sure Auth interface is always set even if session auth succeeds.
* Add failing test.
* Fix FrontControllerTest
* Put hash token authentication back since it is still in use in plugins.
|
|
certain pages. (#13219)
* Add privacy policy/terms and conditions settings and display in bottom of certain pages.
* tweak
* simplify PrivacyManager::shouldRenderFooterLinks().
* Update system test files
* removes typo
* do not render view if no links available
* Remove footer margin in embedded widget.
* ensure footer margin doesn't change (for UI tests)
* update ui files
|
|
* Modifying "cookie authentication" to be more secure.
Instead of authenticating by token auth if it exists in the cookie, validate an existing session. If the session
has the user name stored as a session var, it has been authenticated. If the request has the same IP address and
user agent as the request that created the session, the request is from the user that created the session. If
both of these are true, then the session is valid, and we don't need a token auth to authenticate.
If the session is deleted before the Piwik auth cookie expires (due to garbage collection), we attempt to
re-authenticate using a secure hash of the token auth. We don't do this on every request since password_verify()
will, at BEST, add 3.5ms to every request.
* Invalidate existing sessions after user password change.
Invalidation is accomplished w/o having to individually touch sessions by:
1. Using the password hash as the piwik_auth key secret, instead of the token auth. So when a password changes, existing piwik_auth keys are no longer valid. This affects session re-authentication.
2. Saving the session start time & the last time a user's password was modified, and checking that the session start time is always newer than the password modification time.
* Set session.gc_maxlifetime to login_cookie_expire time so session data does not disappear, remove session re-auth functionality & tie cookie hash to password modified time instead of password hash to retain automatic session invalidation on password change.
* In SessionInitializer, clear other cookie values so previously stored token auths will be removed.
* Make sure anonymous user is still default user whan authenticating.
* fixing test failures
* Remove hash checking in piwik_auth cookie.
piwik_auth cookie still required since it's presence indicates we should use SessionAuth instead of the normal authentication mechanism. Since there's always a session, even if you're not logged in, PIWIK_SESSID can't be used by itself to determine this.
* Make sure session auth doesnt break in edge case where ts_password_modified column does not exist.
* Clarify session destruction/invalidation logic in SessionAuth.
* Make UsersManagerTest slightly more comprehensive.
* Use Date::now()->getTimestampUTC() instead of time() in SessionFingerprint::initialize().
* Check getUser returns correct user info in SessionAuth for sanity.
* Add SessionInitializer::getAuthCookie() back since it is @api.
* Remove IP address from session auth info + check.
* Refactor session start changes so it is started in one place only.
* Remove SessionAuthCookieFactory & deprecate auth cookie INI config vars (still needed for SessionInitializer deprectaed method).
* Make sure user can still login if ts_password_modified column is not present in database.
* Rename ts_password_modified Update class.
* Update comment in SessionAuth to include why Piwik tries to create another session.
* Restore 3.x-dev SessionInitializer for BC (deprecated), move new SessionInitializer to core, add tests for both SessionInitializers.
* Change update to 3.5 version.
* Make sure normal auth implementation is used if sessionauth fails so anonymous user can be logged in.
* On logout clear session fingerprint so same session cannot be used to login.
* Change update name + bump version, and make sure Session::rememberMe() is called before session is started (otherwise it has no effect).
* Fixing tests.
* apply review fixes
* remove test
|
|
* Replace proxy redirect with rel=noreferrer
* Add noopener
* Restore action=redirect for non-Matomo links
* Wrap referring URLs
* NO target on download link
* Fix Github links
* Fix whitespace
* Fix tests
* Revert change
* Revert changes
* Fix tests
* Add noreferrer shim for MSIE 10
* Remove all action=redirect links
* Restore noreferrer
* Restore test
* Fix one more occurrence
* Update changelog
* Combine if's
* Fix changelog wording
* Fix stray whitespace
|
|
|
|
When defining a different theme header background color, the color is not applied because of the set class.
refs DEV-1377
|
|
Only the files declaring a shebang have their execution bit set.
Everything else is not executable to avoid possible security issues
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* move Overlay UI tests to Overlay plugin
* remove UI files that has been moved
* move Login UI tests to Login plugin
* check for element instead of comparing screenshots
* Move Installation UI tests to it's plugin
* Move UI tests for Marketplace to Marketplace plugin
* Updates Sync Screenshots command to download test files to correct directories
* ensure shortcut help is always tested with same useragent
* Move VisitorMap UI tests to UserCountryMap plugin
* Move Morpheus UI tests to plugin
* Move MultiSites UI tests zu plugin
* Move ActionsDataTable UI tests to Actions plugin
* Renames Test directories to tests
* Move UsersManager UI tests to plugin
* Move CoreUpdater UI tests to plugin
* Move DBStats UI tests to plugin
* Move Transitions UI tests to plugin
* Move Insights UI tests to plugin
* improve UI tests splitting on travis
* Moves SegmentEditor UI tests to plugin
* Moves SitesManager UI tests to plugin
* Moves ImageGraph UI tests to plugin
* move live ui test files to git lfs
* remove retry
* update test file
* improve splitting for travis
* prevent test from failing randomly
|
|
|
|
* Possibility to login by email
* adds UI tests for login with email
* make method private
|
|
|
|
* Improved Login and Reset Password Fields
* Update index.twig
* Update userSettings.twig
|
|
* Replace all occurences of Piwik in english translations of Actions plugin
* translation update
* Replace all occurences of Piwik in english translations of API plugin
* translation update
* Replace all occurences of Piwik in english translations of core
* replace Piwik occurrences
* Rename widget piwik.org blog => matomo.org blog
* fix widget name
* replaced some more piwik mentions
* Renamed to Matomo a few strings
* Replaced more strings to Matomo in JSON files, twig templates
* Replaced more strings to Matomo in INI file
* Replaced more strings to Matomo in API docs, error messages, feedback forms
* introduce API.getMatomoVersion and ExampleAPI.getMatomoVersion API + deprecate old ones
|
|
* renaming more Piwik mentions
* some more updates
* fix some tests
* support matomo partially as require string
* fix tests
* fix failing system test
* fix tests
* fix system test
* fix test
|
|
|
|
* Piwik is now Matomo
* make sure logo is not shown too high
* fix some tests
* fix logo height
* fix some ui tests
* update ui tests
|
|
|
|
* add possibility to restrict piwik login by ip
* better whitelist implementation
* move classes to corehome
* better error message
* better config
* make sure ips can be overwritten via DI
* fix ui tests
|
|
* http://piwik.org -> https://piwik.org
* more HTTPS URLs
* some more HTTPS URLs
* test README
* don't show "Plugin Hompage" for Piwik plugins
* fix tests
* compile minified js
(hope I didn't break anything)
* some more small changes
* fix UI test
* comment length in piwik.js changed due to https links
* fix test
* update ui file
* update submodule
|
|
|
|
* Use HTTPS for piwik.org link
* change second link to https sa well
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* remove jquery smartbanner
* add related_applications to manifest.json
https://developers.google.com/web/updates/2015/03/increasing-engagement-with-app-install-banners-in-chrome-for-android?hl=en#native
* remove googleplay icon
* remove smartbanner license
|
|
|
|
|
|
* Change to gender neutral phrasing in user-facing text
* Switch to gender neutral wording in docs/comments
|
|
|
|
|
|
|
|
|
|
|
|
|