Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require password confirmation for more plugin operations. #17345

Merged
merged 9 commits into from
Apr 24, 2021
Merged

Require password confirmation for more plugin operations. #17345

merged 9 commits into from
Apr 24, 2021

Conversation

diosmosis
Copy link
Member

@diosmosis diosmosis commented Mar 15, 2021
edited
Loading

Description:

Adding requirement for password confirmation for: activating a plugin, deactivating a plugin, uninstalling a plugin. And for CorePluginsAdmin.setSystemSettings.

Review

  • Functional review done
  • Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
  • Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • Security review done see checklist
  • Code review done
  • Tests were added if useful/possible
  • Reviewed for breaking changes
  • Developer changelog updated if needed
  • Documentation added if needed
  • Existing documentation updated if needed

@diosmosis diosmosis added this to the 4.3.0 milestone Mar 15, 2021
@diosmosis diosmosis marked this pull request as draft March 15, 2021 03:17
@diosmosis diosmosis added the Needs Review PRs that need a code review label Apr 20, 2021
@diosmosis diosmosis marked this pull request as ready for review April 20, 2021 03:25
@flamisz
Copy link
Contributor

flamisz commented Apr 20, 2021

Is it common for asking password as a URL parameter when we already have the token validation? Is it necessary? I can't remember using API like this.

@diosmosis
Copy link
Member Author

@flamisz if you grep through API files for 'passwordConfirmation', you'll find similar methods. It is an extra security precaution for sensitive settings and changes.

Also just realized I forgot to the UI related changes, will move this back to a draft.

@diosmosis diosmosis marked this pull request as draft April 20, 2021 04:14
@diosmosis
ask for password confirmation when saving plugin settings and use onO…
d18e5b3 
…penEnd materializecss modal event handler instead of ready since ready no longer exists in used version
@diosmosis diosmosis marked this pull request as ready for review April 21, 2021 00:12
@diosmosis
Copy link
Member Author

Added the UI changes. Also noticed we were using the old ready: event for materializecss modals, should be using onOpenEnd now.

@diosmosis
Copy link
Member Author

@sgiehl this should be ready for another review

sgiehl
sgiehl approved these changes Apr 23, 2021
View reviewed changes
Copy link
Member

@sgiehl sgiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work as expected now. Some UI tests for TagManager and QueuedTracking are failing due to the new password confirmation. Might be good to fix them before merging

@diosmosis diosmosis merged commit 6227cb0 into 4.x-dev Apr 24, 2021
@diosmosis diosmosis deleted the more-pwd-confirmation branch April 24, 2021 03:28
@Findus23 Findus23 mentioned this pull request Jun 8, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgiehl sgiehl sgiehl approved these changes

Assignees
No one assigned
Labels
Needs Review PRs that need a code review
Projects
None yet
Milestone
4.3.0
Development

Successfully merging this pull request may close these issues.
3 participants
@diosmosis @flamisz @sgiehl