Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add token_auth to overlay requests where necessary #17851

Merged
merged 15 commits into from Aug 13, 2021
Merged

add token_auth to overlay requests where necessary #17851

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
3b5d5e2
add token_auth to overlay requests where necessary #17640
Aug 3, 2021
aedaa58
ensure all links on overlay page work as expected both, with token_au…
Aug 5, 2021
200f5eb
Merge branch '4.x-dev' into m-17640
Aug 5, 2021
e546ee2
DRY force_api_session=1 and token_auth parameters in broadcast.js and…
Aug 5, 2021
2e6b42d
polish logic for overlay with token_auth and change minimal logic in …
Aug 6, 2021
4543f2f
use 'string' as string parameter #17640
Aug 6, 2021
00a8dcd
simplify token_auth check #17640
Aug 9, 2021
797c146
Merge branch '4.x-dev' into m-17640
Aug 9, 2021
27f403b
revert git submodule to 4.x-dev version #17640
Aug 10, 2021
edb9ec7
Merge branch '4.x-dev' into m-17640
Aug 10, 2021
f91592f
return $tokenAuth string (truthy) only, simplify condition, ensure & …
Aug 10, 2021
99aa0d2
Merge branch '4.x-dev' into m-17640
Aug 10, 2021
569d9ec
revert submodule change
sgiehl Aug 12, 2021
7645683
Merge branch '4.x-dev' into m-17640
sgiehl Aug 12, 2021
7a81b36
Update core/View.php
Aug 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 14 additions & 1 deletion core/View.php
View file
Open in desktop
Expand Up @@ -11,6 +11,7 @@
use Exception;
use Piwik\AssetManager\UIAssetCacheBuster;
use Piwik\Container\StaticContainer;
use Piwik\Session\SessionAuth;
use Piwik\View\ViewInterface;
use Piwik\View\SecurityPolicy;
use Twig\Environment;
Expand Down Expand Up @@ -465,7 +466,19 @@ public static function singleReport($title, $reportHtml)
private function shouldPropagateTokenAuthInAjaxRequests()
{
$generalConfig = Config::getInstance()->General;
return Common::getRequestVar('module', false) == 'Widgetize' || $generalConfig['enable_framed_pages'] == '1';
return Common::getRequestVar('module', false) == 'Widgetize' ||
$generalConfig['enable_framed_pages'] == '1' ||
$this->validTokenAuthInUrl();
}

/**
* @return bool
* @throws Exception
*/
private function validTokenAuthInUrl()
{
$tokenAuth = Common::getRequestVar('token_auth', '', 'string', $_GET);
return ($tokenAuth && $tokenAuth === Piwik::getCurrentUserTokenAuth());
}

/**
Expand Down
1 change: 1 addition & 0 deletions plugins/Annotations/javascripts/annotations.js
View file
Open in desktop
Expand Up @@ -112,6 +112,7 @@

var ajaxRequest = new ajaxHelper();
ajaxRequest.addParams(ajaxParams, 'get');
ajaxRequest.withTokenInUrl();
ajaxRequest.setFormat('html');
ajaxRequest.setCallback(callback);
ajaxRequest.send();
Expand Down
2 changes: 1 addition & 1 deletion plugins/CoreHome/angularjs/common/services/piwik-api.js
View file
Open in desktop
Expand Up @@ -338,7 +338,7 @@ var hasBlockedContent = false;
}

return {
withTokenInUrl: withTokenInUrl,
withTokenInUrl: withTokenInUrl, // technically should probably be called withTokenInPost
bulkFetch: bulkFetch,
post: post,
fetch: fetch,
Expand Down
5 changes: 4 additions & 1 deletion plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js
View file
Open in desktop
Expand Up @@ -114,7 +114,10 @@
}

if (piwik.shouldPropagateTokenAuth && broadcast.getValueFromUrl('token_auth')) {
url += '&force_api_session=1&token_auth=' + broadcast.getValueFromUrl('token_auth');
if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
url += '&force_api_session=1';
}
url += '&token_auth=' + encodeURIComponent(broadcast.getValueFromUrl('token_auth'));
}

url += '&random=' + parseInt(Math.random() * 10000);
Expand Down
1 change: 0 additions & 1 deletion plugins/CoreHome/javascripts/broadcast.js
View file
Open in desktop
Expand Up @@ -176,7 +176,6 @@ var broadcast = {
}
}
},

isWidgetizedDashboard: function() {
return broadcast.getValueFromUrl('module') == 'Widgetize' && broadcast.getValueFromUrl('moduleToWidgetize') == 'Dashboard';
},
Expand Down
1 change: 1 addition & 0 deletions plugins/CoreHome/javascripts/dataTable_rowactions.js
View file
Open in desktop
Expand Up @@ -474,6 +474,7 @@ DataTable_RowActions_RowEvolution.prototype.showRowEvolution = function (apiMeth

var ajaxRequest = new ajaxHelper();
ajaxRequest.addParams(requestParams, 'get');
ajaxRequest.withTokenInUrl();
ajaxRequest.setCallback(callback);
ajaxRequest.setFormat('html');
ajaxRequest.send();
Expand Down
1 change: 1 addition & 0 deletions plugins/Live/javascripts/SegmentedVisitorLog.js
View file
Open in desktop
Expand Up @@ -135,6 +135,7 @@ var SegmentedVisitorLog = function() {

var ajaxRequest = new ajaxHelper();
ajaxRequest.addParams(requestParams, 'get');
ajaxRequest.withTokenInUrl();
ajaxRequest.setCallback(callback);
ajaxRequest.setFormat('html');
ajaxRequest.send();
Expand Down
5 changes: 4 additions & 1 deletion plugins/Live/javascripts/visitorProfile.js
View file
Open in desktop
Expand Up @@ -156,7 +156,10 @@
$element.on('mousedown', '.visitor-profile-export', function (e) {
var url = $(this).attr('href');
if (url.indexOf('&token_auth=') == -1) {
$(this).attr('href', url + '&force_api_session=1&token_auth=' + piwik.token_auth);
if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
url += '&force_api_session=1';
}
$(this).attr('href', url + '&token_auth=' + piwik.token_auth);
}
});

Expand Down
5 changes: 4 additions & 1 deletion plugins/Overlay/javascripts/Overlay_Helper.js
View file
Open in desktop
Expand Up @@ -29,7 +29,10 @@ var Overlay_Helper = {

var token_auth = piwik.broadcast.getValueFromUrl("token_auth");
if (token_auth.length && piwik.shouldPropagateTokenAuth) {
url += '&force_api_session=1&token_auth=' + encodeURIComponent(token_auth);
if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
url += '&force_api_session=1';
}
url += '&token_auth=' + encodeURIComponent(token_auth);
}

if (link) {
Expand Down
1 change: 1 addition & 0 deletions plugins/Overlay/javascripts/Piwik_Overlay.js
View file
Open in desktop
Expand Up @@ -50,6 +50,7 @@ var Piwik_Overlay = (function () {
globalAjaxQueue.abort();
var ajaxRequest = new ajaxHelper();
ajaxRequest.addParams(params, 'get');
ajaxRequest.withTokenInUrl(); // needed because it is calling a controller and not the API
ajaxRequest.setCallback(
function (response) {
hideLoading();
Expand Down
5 changes: 4 additions & 1 deletion plugins/Overlay/templates/index.twig
View file
Open in desktop
Expand Up @@ -73,7 +73,10 @@

var iframeSrc = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ rawDate }}&segment={{ segment }}';
if (piwik.shouldPropagateTokenAuth) {
iframeSrc += '&force_api_session=1&token_auth=' + piwik.token_auth;
if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
iframeSrc += '&force_api_session=1';
}
iframeSrc += '&token_auth=' + piwik.token_auth;
}

Piwik_Overlay.init(iframeSrc, '{{ idSite }}', '{{ period }}', '{{ rawDate }}', '{{ segment }}');
Expand Down
5 changes: 4 additions & 1 deletion plugins/Overlay/templates/index_noframe.twig
View file
Open in desktop
Expand Up @@ -8,7 +8,10 @@
<script type="text/javascript">
var newLocation = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ date }}&segment={{ segment }}';
if (piwik.shouldPropagateTokenAuth) {
newLocation += '&force_api_session=1&token_auth=' + piwik.token_auth;
if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
newLocation += '&force_api_session=1';
}
newLocation += '&token_auth=' + piwik.token_auth;
}

var locationParts = window.location.href.split('#');
Expand Down