Skip to content
Extraits de code Groupes Projets
Valider 5373ef94 rédigé par mattab's avatar mattab
Parcourir les fichiers

Do not allow to widgetize requests from the API plugin 

In general it makes no sense to do this, and it could have security implications to allow it.
parent 91ae0a45
Aucune branche associée trouvée
Aucune étiquette associée trouvée
Aucune requête de fusion associée trouvée
Masquer les modifications d'espaces
En ligne Côte à côte
plugins/Widgetize/Controller.php
+ 4
17
Voir le fichier @ 5373ef94
......@@ -27,23 +27,6 @@ class Controller extends \Piwik\Plugin\Controller
return $view->render();
}
public function testJsInclude1()
{
$view = new View('@Widgetize/testJsInclude1');
$view->url1 = '?module=Widgetize&action=js&moduleToWidgetize=DevicesDetection&actionToWidgetize=getBrowsers&idSite=1&period=day&date=yesterday';
$view->url2 = '?module=Widgetize&action=js&moduleToWidgetize=API&actionToWidgetize=index&method=ExamplePlugin.getGoldenRatio&format=original';
return $view->render();
}
public function testJsInclude2()
{
$view = new View('@Widgetize/testJsInclude2');
$view->url1 = '?module=Widgetize&action=js&moduleToWidgetize=DevicesDetection&actionToWidgetize=getBrowsers&idSite=1&period=day&date=yesterday';
$view->url2 = '?module=Widgetize&action=js&moduleToWidgetize=UserCountry&actionToWidgetize=getCountry&idSite=1&period=day&date=yesterday&viewDataTable=cloud&show_footer=0';
$view->url3 = '?module=Widgetize&action=js&moduleToWidgetize=Referrers&actionToWidgetize=getKeywords&idSite=1&period=day&date=yesterday&viewDataTable=table&show_footer=0';
return $view->render();
}
public function iframe()
{
Request::reloadAuthUsingTokenAuth();
......@@ -52,6 +35,10 @@ class Controller extends \Piwik\Plugin\Controller
$controllerName = Common::getRequestVar('moduleToWidgetize');
$actionName = Common::getRequestVar('actionToWidgetize');
if($controllerName == 'API') {
throw new \Exception("Widgetizing API requests is not supported for security reasons. Please change query parameter 'moduleToWidgetize'.");
}
if ($controllerName == 'Dashboard' && $actionName == 'index') {
$view = new View('@Widgetize/iframe_empty');
} else {
......
0% ou .
You are about to add 0 people to the discussion. Proceed with caution.
Terminez d'abord l'édition de ce message.
Veuillez vous inscrire ou vous pour commenter