Merge pull request #7638 from piwik/no_api_widgetize

Do not allow to widgetize any API call

plugins/Widgetize/Controller.php

@@ -27,23 +27,6 @@ public function index()
         return $view->render();
     }
 
-    public function testJsInclude1()
-    {
-        $view = new View('@Widgetize/testJsInclude1');
-        $view->url1 = '?module=Widgetize&action=js&moduleToWidgetize=DevicesDetection&actionToWidgetize=getBrowsers&idSite=1&period=day&date=yesterday';
-        $view->url2 = '?module=Widgetize&action=js&moduleToWidgetize=API&actionToWidgetize=index&method=ExamplePlugin.getGoldenRatio&format=original';
-        return $view->render();
-    }
-
-    public function testJsInclude2()
-    {
-        $view = new View('@Widgetize/testJsInclude2');
-        $view->url1 = '?module=Widgetize&action=js&moduleToWidgetize=DevicesDetection&actionToWidgetize=getBrowsers&idSite=1&period=day&date=yesterday';
-        $view->url2 = '?module=Widgetize&action=js&moduleToWidgetize=UserCountry&actionToWidgetize=getCountry&idSite=1&period=day&date=yesterday&viewDataTable=cloud&show_footer=0';
-        $view->url3 = '?module=Widgetize&action=js&moduleToWidgetize=Referrers&actionToWidgetize=getKeywords&idSite=1&period=day&date=yesterday&viewDataTable=table&show_footer=0';
-        return $view->render();
-    }
-
     public function iframe()
     {
         Request::reloadAuthUsingTokenAuth();
@@ -52,6 +35,10 @@ public function iframe()
         $controllerName = Common::getRequestVar('moduleToWidgetize');
         $actionName     = Common::getRequestVar('actionToWidgetize');
 
+        if($controllerName == 'API') {
+            throw new \Exception("Widgetizing API requests is not supported for security reasons. Please change query parameter 'moduleToWidgetize'.");
+        }
+
         if ($controllerName == 'Dashboard' && $actionName == 'index') {
             $view = new View('@Widgetize/iframe_empty');
         } else {