refs #4126 make sure a user cannot read/change settings of another user

core/Settings/UserSetting.php

@@ -63,9 +63,15 @@ private function buildUserSettingName($name, $userLogin = null)
      * Sets (overwrites) the userLogin.
      *
      * @param $userLogin
+     *
+     * @throws \Exception In case you set a userLogin that is not your userLogin and you are not the superUser.
      */
     public function setUserLogin($userLogin)
     {
+        if (!empty($userLogin) && !Piwik::isUserIsSuperUserOrTheUser($userLogin)) {
+            throw new \Exception('You do not have the permission to read the settings of a different user');
+        }
+
         $this->userLogin = $userLogin;
         $this->key       = $this->buildUserSettingName($this->name, $userLogin);
     }

tests/PHPUnit/Core/Plugin/SettingsTest.php

@@ -547,6 +547,31 @@ public function test_userSetting_shouldSaveValuesPerUser()
         $this->assertSettingHasValue($user, null);
     }
 
+    /**
+     * @expectedException \Exception
+     * @expectedExceptionMessage You do not have the permission to read the settings of a different user
+     */
+    public function test_userSetting_shouldThrowException_IfSomeoneTriesToReadSettingsFromAnotherUserAndIsNotSuperuser()
+    {
+        $this->setUser();
+
+        $this->buildUserSetting('myname', 'mytitle', 'myRandomName');
+    }
+
+    public function test_userSetting_shouldBeAbleToSetLoginAndChangeValues_IfUserIsSuperUser()
+    {
+        $this->setSuperUser();
+
+        $setting = $this->buildUserSetting('myname', 'mytitle', 'myRandomName');
+        $this->settings->addSetting($setting);
+
+        $this->settings->setSettingValue($setting, 5);
+        $this->assertSettingHasValue($setting, 5);
+
+        $this->settings->removeSettingValue($setting);
+        $this->assertSettingHasValue($setting, null);
+    }
+
     private function buildUserSetting($name, $title, $userLogin = null)
     {
         return new \Piwik\Settings\UserSetting($name, $title, $userLogin);