From 5373ef94a82f8fd48bcb649b4e0a63a18745b637 Mon Sep 17 00:00:00 2001
From: mattab <matthieu.aubry@gmail.com>
Date: Tue, 7 Apr 2015 16:48:26 +1200
Subject: [PATCH] Do not allow to widgetize requests from the API plugin

In general it makes no sense to do this, and it could have security implications to allow it.
---
 plugins/Widgetize/Controller.php | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/plugins/Widgetize/Controller.php b/plugins/Widgetize/Controller.php
index 5dd61a66c7..2e2e5bf8cb 100644
--- a/plugins/Widgetize/Controller.php
+++ b/plugins/Widgetize/Controller.php
@@ -27,23 +27,6 @@ class Controller extends \Piwik\Plugin\Controller
         return $view->render();
     }
 
-    public function testJsInclude1()
-    {
-        $view = new View('@Widgetize/testJsInclude1');
-        $view->url1 = '?module=Widgetize&action=js&moduleToWidgetize=DevicesDetection&actionToWidgetize=getBrowsers&idSite=1&period=day&date=yesterday';
-        $view->url2 = '?module=Widgetize&action=js&moduleToWidgetize=API&actionToWidgetize=index&method=ExamplePlugin.getGoldenRatio&format=original';
-        return $view->render();
-    }
-
-    public function testJsInclude2()
-    {
-        $view = new View('@Widgetize/testJsInclude2');
-        $view->url1 = '?module=Widgetize&action=js&moduleToWidgetize=DevicesDetection&actionToWidgetize=getBrowsers&idSite=1&period=day&date=yesterday';
-        $view->url2 = '?module=Widgetize&action=js&moduleToWidgetize=UserCountry&actionToWidgetize=getCountry&idSite=1&period=day&date=yesterday&viewDataTable=cloud&show_footer=0';
-        $view->url3 = '?module=Widgetize&action=js&moduleToWidgetize=Referrers&actionToWidgetize=getKeywords&idSite=1&period=day&date=yesterday&viewDataTable=table&show_footer=0';
-        return $view->render();
-    }
-
     public function iframe()
     {
         Request::reloadAuthUsingTokenAuth();
@@ -52,6 +35,10 @@ class Controller extends \Piwik\Plugin\Controller
         $controllerName = Common::getRequestVar('moduleToWidgetize');
         $actionName     = Common::getRequestVar('actionToWidgetize');
 
+        if($controllerName == 'API') {
+            throw new \Exception("Widgetizing API requests is not supported for security reasons. Please change query parameter 'moduleToWidgetize'.");
+        }
+
         if ($controllerName == 'Dashboard' && $actionName == 'index') {
             $view = new View('@Widgetize/iframe_empty');
         } else {
-- 
GitLab