Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Introduce new User permission: Super User Access #4564

Closed
mattab opened this Issue · 49 comments

2 participants

@mattab
Owner

The feature to be able to have several Super Users is becoming more important, and many users have requested it in the forums and in #2589

Tasks:

  • Create superAdmin permission. The superAdmin permission is equivalent to the currently "superUser" in terms of power.
  • The user stored in the config file has always superAdmin permission.
  • Code: change all calls to checkUserIsSuperUser to: checkUserHasSuperAdmin permissions, setUserIsSuperUser becomes setUserHasSuperAdmin, checkUserIsSuperUserOrTheUser -> checkUserIsTheUserOrHasSuperAdmin
  • Add / update unit tests

Note:

  • the Super User stored in the config file will never lose its super admin capability. But other users with SuperAdmin permission can lose it
  • The UI for setting Super Admin permission is out of scope, it is covered in #2589
@tsteur
Owner

In e4b425b: refs #4564 #2589 added possibility to define multiple superusers

@tsteur
Owner

In 743d7b8: refs #4564 #2589 do not allow to edit a users websites permissions if user is superuser. Reload page after successfully changing superuser permission to make sure it is afterwards possible to (edit / not edit) websites permissions

@tsteur
Owner

In 265f4b9: refs #4564 #2589 we need a small difference between superUser and configSuperUser

@tsteur
Owner

In 743b92d: refs #4564 some more fixes for config super user

@tsteur
Owner

In bdb6967: refs #4564 restrict sites to login for all non super users

@tsteur
Owner

In bda7796: refs #4564 also check for the config user

@tsteur
Owner

In 81e7f87: refs #4564 introducing new methods to make user a user has superuser access. Old methods will still work but are marked as deprecated and they will be removed in a future release

@tsteur
Owner

In df54712: refs #4564 introducing some more new methods for has superuser access. Old methods will still work but are marked as deprecated and they will be removed in a future release

@tsteur
Owner

In cae8ff4: refs #4564 added test to make sure the deprecated methods will be there as promised and removed afterwards

@tsteur
Owner

In d8a69b1: refs #4564 fixed some permission issues and removed the todo tags

@tsteur
Owner

In ff36d5e: refs #4564 added missing method again to not break API and fix tests

@tsteur
Owner

In ea48bba: refs #4564 added db update (version number needs to be changed later probably) and renamed more methods

@tsteur
Owner

In 71bf5fe: refs #4564 added column superuser access

@tsteur
Owner

In 0ffbe10: refs #4564 fix sql

@tsteur
Owner

In 57a1824: refs #4564 fix adding anonymous user is not possible

@tsteur
Owner

In 838fea8: refs #4564 fixing tests

@tsteur
Owner

In 1c51265: refs #4564 deprecate some more methods

@tsteur
Owner

In e3515a5: refs #4564 simplified login tests

@tsteur
Owner

In 5d14a67: refs #4564 added some Login tests to make sure a user with super user access will be authenticated as super user

@tsteur
Owner

In 8892cce: refs #4564 improved readability of the test

@tsteur
Owner

In 0a2e2d3: refs #4564 added some more test cases and removed some obsolete comments

@tsteur
Owner

In 67202fc: refs #4564 whitespace

@tsteur
Owner

In 91defb4: refs #4564 some more tests, also grepped for different superuser terms and updated some test names

@tsteur
Owner

In ee5aba1: refs #4564 fix tests

@tsteur
Owner

current status of #2589 and #4564 and #4582

It should work so far. As discussed user role is "SuperUser" not "SuperAdmin". Once a superUser role is set you "lose" all previous custom access because you gain permission to everything anyway. Updated/Added tests, renamed methods, added UI. Also tested whether scheduled tasks still work and looks good.

Needs to be done:

  • Update documentation
  • In blog post inform about deprecated methods which will be removed in the future

I have some changes in the submodules but haven't committed them to keep it simple. It should work though but haven't tested it.

@tsteur
Owner

In da54aa4: refs #4564 some bugfixes, documentation and tests

@tsteur
Owner

In e6133ac: refs #4564 skipping languagesManager test to fix build

@tsteur
Owner

In 08f33b6: refs #4564 deprecated method was used

@tsteur
Owner

In e6daa61: refs #4564 add superuser before running the ui tests

@mattab
Owner

In 92c88a3: 2.0.4-b5 including schema change for Super Use access refs #4564

@mattab
Owner

In e012b22: Prevent notice on the Upgrade screen when triggering 2.0.4-b5 refs #4564

@mattab
Owner

In f81dcbc: Capitalizing Super User for consistency refs #4564

@tsteur
Owner

In 0dab4f5: refs #4564 faster check in case user is the current user

@tsteur
Owner

In dabec29: Merge pull request #212 from piwik/multi_superuser

refs #4564 #2589 support for multi superuser

@tsteur
Owner

In b9e667f: refs #4564 password has to be at least 6 characters

@tsteur
Owner

In fb6775b: refs #4564 added method to not break api

@tsteur
Owner

In 88bca63: refs #4564 throw a updateErrorException in case of any exception during the update

@tsteur
Owner

In f386511: refs #4564 avoid possible failure during update because of missing permissions -> Get the option value of delegated management directly

@tsteur
Owner

In 8d313b0: refs #4564 cleanup and make sure a new user does not get super user access

@tsteur
Owner

In 9e20f5a: refs #4564 fix method names

@tsteur
Owner

In 0e6ec5d: refs #4564 fixes Login\Auth not found when generating Visits

@mattab
Owner

See also: #212

@mattab
Owner

Well done Thomas!!

@tsteur
Owner

In 0e366ab: refs #4564 instead of moving the option entry -> copy it. Makes sure the superuser still sees the configured phone numbers after migration

@tsteur
Owner

In 7250284: refs #4564 get the superuser from database

@tsteur
Owner

In ac77310: refs #4564 fix import logs and archive.sh did no longer work because there is no longer a superuser in the config. Read directly the tokenauth of any superuser from a generated file instead. The updatetoken.php will create a file containing the needed token in tmp/cache which will not be served by default (on apache). Also the script contains directly an exit to avoid execution or anything from the browser or cli

@tsteur
Owner

In a361138: refs #4564 test whether import_logs.py script can find the token_auth automatically

@tsteur
Owner

In 4bc46c3: refs #4564 we have to get the token from the piwik_tests database

@tsteur
Owner

In d4839f1: refs #4564 it does not accept a parameter

@mattab mattab added this to the 2.1 - Piwik 2.1 milestone
@tsteur tsteur was assigned by mattab
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 #2589 do not allow to edit a users websites permissions if…
… user is superuser. Reload page after successfully changing superuser permission to make sure it is afterwards possible to (edit / not edit) websites permissions
743d7b8
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 #2589 we need a small difference between superUser and con…
…figSuperUser
265f4b9
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 some more fixes for config super user 743b92d
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 also check for the config user bda7796
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 introducing new methods to make user a user has superuser …
…access. Old methods will still work but are marked as deprecated and they will be removed in a future release
81e7f87
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 introducing some more new methods for has superuser access…
…. Old methods will still work but are marked as deprecated and they will be removed in a future release
df54712
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 added test to make sure the deprecated methods will be the…
…re as promised and removed afterwards
cae8ff4
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 added db update (version number needs to be changed later …
…probably) and renamed more methods
ea48bba
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 added column superuser access 71bf5fe
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 fix sql 0ffbe10
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 fix adding anonymous user is not possible 57a1824
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 fixing tests 838fea8
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 deprecate some more methods 1c51265
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 simplified login tests e3515a5
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 added some Login tests to make sure a user with super user…
… access will be authenticated as super user
5d14a67
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 improved readability of the test 8892cce
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 whitespace 67202fc
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 some more tests, also grepped for different superuser term…
…s and updated some test names
91defb4
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 fix tests ee5aba1
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur #4564 updated some translation strings 8f4e45e
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 some bugfixes, documentation and tests da54aa4
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 skipping languagesManager test to fix build e6133ac
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 deprecated method was used 08f33b6
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 add superuser before running the ui tests e6daa61
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@mattab mattab Capitalizing Super User for consistency refs #4564 f81dcbc
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 faster check in case user is the current user 0dab4f5
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 password has to be at least 6 characters b9e667f
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 added method to not break api fb6775b
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 throw a updateErrorException in case of any exception duri…
…ng the update
88bca63
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 avoid possible failure during update because of missing pe…
…rmissions -> Get the option value of delegated management directly
f386511
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 fix method names 9e20f5a
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 instead of moving the option entry -> copy it. Makes sure …
…the superuser still sees the configured phone numbers after migration
0e366ab
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 get the superuser from database 7250284
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 fix import logs and archive.sh did no longer work because …
…there is no longer a superuser in the config. Read directly the tokenauth of any superuser from a generated file instead. The updatetoken.php will create a file containing the needed token in tmp/cache which will not be served by default (on apache). Also the script contains directly an exit to avoid execution or anything from the browser or cli
ac77310
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 test whether import_logs.py script can find the token_auth…
… automatically
a361138
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@tsteur tsteur refs #4564 it does not accept a parameter d4839f1
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.