| Age | Commit message (Collapse) | Author |
|---|
|
* Add empty config.php and tracker.php files to each plugin that doesn't have them; add to whitelist of files that are included in new plugins generated by generate:plugin
* Add plugin files for plugins which were missing them
|
|
* Require password confirmation for changing superuser access and fix issue where getSiteAccess is called w/ superuser when toggling superuser access.
* apply review feedback
* Allow bypassing password confirmation in certain scenarios.
* Fixing tests & adding UI test.
* Update submodule.
* test fixes + remove return; from 2fa tests.
* update submodule
* Fixing tests
* Couple tweaks for screenshot testing.
* test fixes
* Fix TwoFactorAuthUsersManager test.
* More test fixes.
* try to disable all transitions
* More UI test fixes + disable materialize animations globally in UI tests.
* 2fa ui tests now working
|
|
|
|
* Make sure xss entries is always an array.
* Update expected test files and submodule.
* Regenerate broken omnifixture dump.
* poc conversion to chrome headless for UI tests, single test works locally
* Get single test to pass on travis & local w/ headless chrome.
* Remove old diff viewer generation, and get output to look the same as before when there is a failure.
* Add global timeout & get ViewDataTableTest to pass.
* Convert BarGraph_spec.js.
* Convert EmptySite_spec.
* Update EvolutionGraph spec for chrome headless.
* Convert GoalsTable test & find/replace for common changes.
* Convert MeasurableManager.
* Another find & replace.
* Get Menus/OptOutForm to pass w/ chrome headless
* Convert PeriodSelector, PieGraph & PivotByDimension UI tests.
* undo unrelated debugging change
* Convert QuickAccess UI tests
* Converts ActionsDataTable UI tests
* reset viewport after each testsuite
* Converts RowEvolution UI tests
* Converts Theme UI tests
* Converts SiteSelector UI tests
* Converts CustomVariables UI test
* Converts DBStats UI test
* Ignore empty responses when calling api/controller
* Converts Dashboard UI tests
* Converts Live UI tests
* Converts SimpleUI tests
* Converts Installation UI tests
* Converts ImageGraph UI tests
* Converts Login UI tests
* Converts Marketplace UI tests
* Converts Insights UI tests
* Converts ReportExporting UI tests
* Converts UIIntegration tests
* Updates ViewDataTable UI tests
* Converts CoreUpdater UI tests
* Converts UsersManager UI tests
* Converts Morpheus UI tests
* Converts MultiSites UI tests
* Fix testEnvironment.callApi handling of array parameters
* Converts Overlay UI tests
* Converts PrivacyManager UI tests
* Converts ScheduledReports UI tests
* Converts SegmentEditor UI tests
* compare pixel difference in images
* Converts PeriodSelector UI tests
* allow a pixel difference
* Converts SingleMetricView UI tests
* Converts SitesManager UI tests
* Converts Transitions UI tests
* Converts MeasurableManager UI tests
* Move Mouse out of screen after each test suite
* Converts PieGraph UI tests
* Ensure cursor is not shown in focused input elements
* Converts VisitorMap UI tests
* Converts CustomLogo UI tests
* Converts BarGraph UI tests
* Converts EvolutionGraph UI tests
* Converts IntranetMeasurable UI tests
* Converts TrackingFailures UI tests
* Converts CampaignBuilder UI tests
* Converts TagManagerTeaser UI tests
* fix request url rewrite for changed port
* Converts TwoFactorAuth UI tests
* do not print full responses in logs, but size instead
* improve additional style injection
* use submodule branches
* fix request interception
* update dependencies
* [TEMP] disable dangerous link checks
* [TEMP] limit tests
* Use puppeteer@next and make sure diffs get uploaded properly.
* Use correct fs function.
* Allow timeout to be specified on command line for UI tests and debug console logs.
* timeout option tweak
* Setup diff dir once before running tests not before each suite.
* fix last commit
* Update screenshots and fix some specs.
* Convert some tests that were not converted during merge.
* updating screenshots
* Updating screenshots and fixing some tests.
* more test fixes
* couple more test fixes
* More test fixes and plugin updates.
* wait for jquery
* Fix some screenshots and tests.
* more test fixes
* debug travis test failure
* remove .only
* more test fixes and updated expected files
* another test fixing iteration
* typo
* another quick test change
* more tests updates
* Test fixes and & more debugging.
* more debugging and test fixes
* more fixes and debugging.
* remove .only
* Another round of fixed tests.
* more debugging & fixes
* more test changes
* more debugging and fixes
* Fixing more tests + some bug fixes.
* Couple more fixes.
* Couple more fixes.
* Fixing tracking failures test
* more fixes
* Last couple fixes hopefully.
* couple more test fixes
* more fixes, bug fix in usersmanager, some test updates
* Some more test fixes/changes.
* more and more fixes
* hoping for a green build
* Do not compare against existing files in dashboard_spec.
* more fixes, re-enabling travis
* really re-enable travis
* Install puppeteer on travis-ci.
* more fixes
* try to fix random failues
* remove return
* Convert some login tests I forgot and update UsersManager expected file
* Fix test for primary key update
* Update AddPrimaryKey.php
* More test fixes + implement synchronous comparison threshold (so no resemblejs)
* More wait fixes + reset token detection fix.
* couple more fixes
* Fix login/overlay screenshot issue & magick command running issue.
* identify is the executable on travis (hopefully) + fix some random failures
* Another run.
* Last fix.
* two more tweaks
* typo
|
|
* update submodules
* update expected screenshots
|
|
* spellcheck en.json files
* fix WidgetsListTest
* additional fixes
* simplify sentence
* Fixing tests.
|
|
|
|
* Send email notification when user email changes.
* Forgot to add file.
* Apply pr fixes + send email for password changes too.
* Add quick test for new emails.
* Translate text
* Refactor according to review.
* ucfirst device name
* Fixing integration test
|
|
|
|
* Noindex, nofollow for login page
* Update Response.php
* update tests
* update UI files
|
|
|
|
* Instead of using referrer URL, use redirect post param so we can post to Login module.
* Use actual login plugin name.
* Remove sanitization for form_redirect POST value.
* Couple more checks for a safer redirect.
* Do not include port in host check.
* Make sure hosts are not empty for more security.
|
|
|
|
|
|
* Do not enable brute force detection during update process.
* Try detection through checking for updates.
* Do not enable brute force detection until version is successfully updated to 3.8.0.
* $dbSchemaVersion may be false
|
|
|
|
|
|
|
|
* Update submodules.
* Update expected files.
* Fix more integration tests.
* Update submodule.
* Update screenshots.
|
|
* Make sure all Matomo emails use correct branding.
* update email logo
* reuse variables
* Change default from to Matomo Analytics.
* Fix list style in report emails, update customalerts submodule and make dashboard link got to default erport in emails.
* Updated submodule.
* Bump version + update submodules.
* Remove submodule update so plugins can be merged after rc2 merged.
|
|
|
|
|
|
fix https://github.com/matomo-org/matomo/issues/13899
|
|
|
|
* some basic work on preventing brute force attacks
* change order
* delete depending on configured value
* show log and feature to unblock ips etc
* more tweaks
* lots of fixes, improvements, and tests
* add more tests
* add more fixes
* fix typo
* make sure to check for all API requests whether allowed
* apply feedback
* block more usages
* improve usage
* fix some tests
* fix some tests
* fix memory problem
* do not whitelist ips for brute force tests
* trying to fix tests
* only delete if installed
* use query
* fix some tests
* better fix
* fix some tests
* fix ui tests
* fix more tests
|
|
* Rename long files.
* fix test name
* Try to fix several test failures.
* Rename expected files.
* --amend
* Try to fix tests.
* Fix more system tests.
* Fix more tests.
* Add debug log.
* Update CustomAlerts submodule for test fix.
* Fix some more screenshots.
* Fixing more tests.
* Update more expected test files & screenshots.
* Last couple fixes.
* update tagmanager submodule
* update submodule
* update submodule
|
|
It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages.
To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue.
fix https://github.com/matomo-org/matomo/issues/13328
|
|
|
|
|
|
* Assume javascript:void(0); as safe link
* update some more UI files
|
|
* fix some tests
* fix more tests
* fix more tests
|
|
|
|
* update theme
* fix alert box has no spacing
* fix couple issues with new theme
* improve contrast and make sure to use correct theme color
* fix notification colour
* fix wrong logo used
* fix theme color
* fix update title not readable
|
|
* Buffing xss testing system.
* More testing changes.
* Finish adding more xss test data.
* Update ui-test.php file.
* Use DI\add in test container override.
* Update OmniFixture.
* Get fixture to setup properly.
* Make xss sanity check work w/ persist fixture data option.
* Another sanity check tweak.
* Trying to debug xss sanity check.
* removing duplicates
* Fix xss testing JS.
* Escape widget category text.
* deal w/ angular input in goal name
* Ensure privacy manager links are safe and add automated test for dangerous links to UI tests.
* Create dangerous link method in xsstesting class.
* Make xss test failures a bit easier to debug and escape metric documentation for angular.
* Tweak quickaccess test.
* Try to get pviot by dimension test to pass.
* Tweak QuickAccess test and try to get xss reports to show.
* Fix exception message.
* Tweaks to fake xss report (cannot currently be displayed).
* Updating screenshots.
* In check for dangerous links test allow empty links that use dangerous prefix.
* fix a cou0le more tests.
* update more screenshots
* Update a couple more screenshots.
* Updated screenshot.
* update screenshots
* update two more screenshots
* Use ng-bind-html to sanitize report documentation which can potentially have HTML.
* update screenshots
|
|
|
|
|
|
* Add tests for password resetter and tweak process a bit.
* Add random string to reset key suffix.
* Tweak email message.
* Fixing tests (includes change to always use latest testing environment variables during tests).
* Tweak to randomstring
|
|
|
|
|
|
|
|
for form_rememberme. (#13333)
|
|
|
|
|
|
(#13279)
* Make sure Auth interface is always set even if session auth succeeds.
* Add failing test.
* Fix FrontControllerTest
* Put hash token authentication back since it is still in use in plugins.
|
|
certain pages. (#13219)
* Add privacy policy/terms and conditions settings and display in bottom of certain pages.
* tweak
* simplify PrivacyManager::shouldRenderFooterLinks().
* Update system test files
* removes typo
* do not render view if no links available
* Remove footer margin in embedded widget.
* ensure footer margin doesn't change (for UI tests)
* update ui files
|
|
* Modifying "cookie authentication" to be more secure.
Instead of authenticating by token auth if it exists in the cookie, validate an existing session. If the session
has the user name stored as a session var, it has been authenticated. If the request has the same IP address and
user agent as the request that created the session, the request is from the user that created the session. If
both of these are true, then the session is valid, and we don't need a token auth to authenticate.
If the session is deleted before the Piwik auth cookie expires (due to garbage collection), we attempt to
re-authenticate using a secure hash of the token auth. We don't do this on every request since password_verify()
will, at BEST, add 3.5ms to every request.
* Invalidate existing sessions after user password change.
Invalidation is accomplished w/o having to individually touch sessions by:
1. Using the password hash as the piwik_auth key secret, instead of the token auth. So when a password changes, existing piwik_auth keys are no longer valid. This affects session re-authentication.
2. Saving the session start time & the last time a user's password was modified, and checking that the session start time is always newer than the password modification time.
* Set session.gc_maxlifetime to login_cookie_expire time so session data does not disappear, remove session re-auth functionality & tie cookie hash to password modified time instead of password hash to retain automatic session invalidation on password change.
* In SessionInitializer, clear other cookie values so previously stored token auths will be removed.
* Make sure anonymous user is still default user whan authenticating.
* fixing test failures
* Remove hash checking in piwik_auth cookie.
piwik_auth cookie still required since it's presence indicates we should use SessionAuth instead of the normal authentication mechanism. Since there's always a session, even if you're not logged in, PIWIK_SESSID can't be used by itself to determine this.
* Make sure session auth doesnt break in edge case where ts_password_modified column does not exist.
* Clarify session destruction/invalidation logic in SessionAuth.
* Make UsersManagerTest slightly more comprehensive.
* Use Date::now()->getTimestampUTC() instead of time() in SessionFingerprint::initialize().
* Check getUser returns correct user info in SessionAuth for sanity.
* Add SessionInitializer::getAuthCookie() back since it is @api.
* Remove IP address from session auth info + check.
* Refactor session start changes so it is started in one place only.
* Remove SessionAuthCookieFactory & deprecate auth cookie INI config vars (still needed for SessionInitializer deprectaed method).
* Make sure user can still login if ts_password_modified column is not present in database.
* Rename ts_password_modified Update class.
* Update comment in SessionAuth to include why Piwik tries to create another session.
* Restore 3.x-dev SessionInitializer for BC (deprecated), move new SessionInitializer to core, add tests for both SessionInitializers.
* Change update to 3.5 version.
* Make sure normal auth implementation is used if sessionauth fails so anonymous user can be logged in.
* On logout clear session fingerprint so same session cannot be used to login.
* Change update name + bump version, and make sure Session::rememberMe() is called before session is started (otherwise it has no effect).
* Fixing tests.
* apply review fixes
* remove test
|
|
* Replace proxy redirect with rel=noreferrer
* Add noopener
* Restore action=redirect for non-Matomo links
* Wrap referring URLs
* NO target on download link
* Fix Github links
* Fix whitespace
* Fix tests
* Revert change
* Revert changes
* Fix tests
* Add noreferrer shim for MSIE 10
* Remove all action=redirect links
* Restore noreferrer
* Restore test
* Fix one more occurrence
* Update changelog
* Combine if's
* Fix changelog wording
* Fix stray whitespace
|
|
|
|
When defining a different theme header background color, the color is not applied because of the set class.
refs DEV-1377
|
|
Only the files declaring a shebang have their execution bit set.
Everything else is not executable to avoid possible security issues
|
