Skip to content

Commit

Permalink
refs #4747 verify user has at least view access for the site
Browse files Browse the repository at this point in the history
  • Loading branch information
@tsteur
tsteur committed Mar 3, 2014
1 parent d6a113c commit 8daa186
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
20 changes: 20 additions & 0 deletions plugins/ScheduledReports/API.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,11 @@
use Piwik\Common;
use Piwik\Date;
use Piwik\Db;
use Piwik\NoAccessException;
use Piwik\Piwik;
use Piwik\Plugins\LanguagesManager\LanguagesManager;
use Piwik\Plugins\SegmentEditor\API as APISegmentEditor;
use Piwik\Plugins\SitesManager\API as SitesManagerApi;
use Piwik\ReportRenderer;
use Piwik\ReportRenderer\Html;
use Piwik\Site;
Expand Down Expand Up @@ -288,8 +290,11 @@ public function generateReport($idReport, $date, $language = false, $outputType
$report = reset($reports);

$idSite = $report['idsite'];
$login = $report['login'];
$reportType = $report['type'];

$this->checkUserHasViewPermission($login, $idSite);

// override report period
if (empty($period)) {
$period = $report['period'];
Expand Down Expand Up @@ -935,4 +940,19 @@ private function createAttachment($report, $processedReport, $prettyDate)

return $additionalFile;
}

private function checkUserHasViewPermission($login, $idSite)
{
if (empty($idSite)) {
return;
}

$idSitesUserHasAccess = SitesManagerApi::getInstance()->getSitesIdWithAtLeastViewAccess($login);

if (empty($idSitesUserHasAccess)
|| !in_array($idSite, $idSitesUserHasAccess)
) {
throw new NoAccessException(Piwik::translate('General_ExceptionPrivilege', array("'view'")));
}
}
}
4 changes: 4 additions & 0 deletions plugins/SitesManager/API.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,10 @@ public function getSitesIdWithAtLeastViewAccess($_restrictSitesToLogin = false)
|| TaskScheduler::isTaskBeingExecuted())
) {

if (Piwik::hasTheUserSuperUserAccess($_restrictSitesToLogin)) {
return Access::getInstance()->getSitesIdWithAtLeastViewAccess();
}

$accessRaw = Access::getInstance()->getRawSitesWithSomeViewAccess($_restrictSitesToLogin);
$sitesId = array();
foreach ($accessRaw as $access) {
Expand Down

0 comments on commit 8daa186

Please sign in to comment.