Disallow displaying API content within Piwik app

+ regression test + regression test for #7638
matomo-org · Jun 23, 2015 · 0ebd9e2 · 0ebd9e2
1 parent 16b3392
commit 0ebd9e2
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/plugins/CoreHome/javascripts/broadcast.js b/plugins/CoreHome/javascripts/broadcast.js
@@ -416,6 +416,13 @@ var broadcast = {
             );
         }
 
+        if(broadcast.getParamValue('module', urlAjax) == 'API') {
+            broadcast.lastUrlRequested = null;
+            $('#content').html("Loading content from the API and displaying it within Piwik is not allowed.");
+            piwikHelper.hideAjaxLoading();
+            return false;
+        }
+
         piwikHelper.hideAjaxError('loadingError');
         piwikHelper.showAjaxLoading();
         $('#content').empty();

diff --git a/tests/UI/specs/UIIntegration_spec.js b/tests/UI/specs/UIIntegration_spec.js
@@ -333,6 +333,20 @@ describe("UIIntegrationTest", function () { // TODO: Rename to Piwik?
         }, done);
     });
 
+    // Do not allow API response to be displayed
+    it('should not allow to widgetize an API call', function (done) {
+        expect.screenshot('widgetize_apidisallowed').to.be.captureSelector('#content', function (page) {
+            page.load("?" + widgetizeParams + "&" + generalParams + "&moduleToWidgetize=API&actionToWidgetize=index&method=SitesManager.getImageTrackingCode&piwikUrl=test");
+        }, done);
+    });
+
+    it('should not display API response in the content', function (done) {
+        expect.screenshot('menu_apidisallowed').to.be.captureSelector('#content', function (page) {
+            page.load("?" + urlBase + "#" + generalParams + "&module=API&action=SitesManager.getImageTrackingCode");
+        }, done);
+    });
+
+    // Ecommerce
     it('should load the ecommerce overview page', function (done) {
         expect.screenshot('ecommerce_overview').to.be.captureSelector('.pageWrap,.expandDataTableFooterDrawer', function (page) {
             page.load("?" + urlBase + "#" + generalParams + "&module=Ecommerce&action=ecommerceReport&idGoal=ecommerceOrder");
@@ -599,4 +613,6 @@ describe("UIIntegrationTest", function () { // TODO: Rename to Piwik?
             page.load("?module=CoreAdminHome&action=optOut&language=en");
         }, done);
     });
+
+
 });