diff --git a/config/environment/test.php b/config/environment/test.php
index 8174e8b057ba9081db37192b8e268d576279bdc6..702bebaef0afd42f9eb4c0adea4b9044e5f1314d 100644
--- a/config/environment/test.php
+++ b/config/environment/test.php
@@ -40,9 +40,16 @@ return array(
'Piwik\Access' => DI\decorate(function ($previous, ContainerInterface $c) {
$testUseMockAuth = $c->get('test.vars.testUseMockAuth');
if ($testUseMockAuth) {
+ $idSitesAdmin = $c->get('test.vars.idSitesAdminAccess');
$access = new FakeAccess();
- FakeAccess::$superUser = true;
- FakeAccess::$superUserLogin = 'superUserLogin';
+ if (!empty($idSitesAdmin)) {
+ FakeAccess::$superUser = false;
+ FakeAccess::$idSitesAdmin = $idSitesAdmin;
+ FakeAccess::$identity = 'adminUserLogin';
+ } else {
+ FakeAccess::$superUser = true;
+ FakeAccess::$superUserLogin = 'superUserLogin';
+ }
return $access;
} else {
return $previous;
diff --git a/core/Access.php b/core/Access.php
index 6d3ee4c32be89854508447c1af6f2ba3627209e6..881810bfca9739f5318ccb9c3533750d368c13ee 100644
--- a/core/Access.php
+++ b/core/Access.php
@@ -336,19 +336,29 @@ class Access
}
/**
- * If the user doesn't have an ADMIN access for at least one website, throws an exception
+ * Returns `true` if the current user has admin access to at least one site.
*
- * @throws \Piwik\NoAccessException
+ * @return bool
*/
- public function checkUserHasSomeAdminAccess()
+ public function isUserHasSomeAdminAccess()
{
if ($this->hasSuperUserAccess()) {
- return;
+ return true;
}
$idSitesAccessible = $this->getSitesIdWithAdminAccess();
- if (count($idSitesAccessible) == 0) {
+ return count($idSitesAccessible) > 0;
+ }
+
+ /**
+ * If the user doesn't have an ADMIN access for at least one website, throws an exception
+ *
+ * @throws \Piwik\NoAccessException
+ */
+ public function checkUserHasSomeAdminAccess()
+ {
+ if (!$this->isUserHasSomeAdminAccess()) {
throw new NoAccessException(Piwik::translate('General_ExceptionPrivilegeAtLeastOneWebsite', array('admin')));
}
}
diff --git a/core/Piwik.php b/core/Piwik.php
index 9545cff6c8e260c58a2c10cc8ac0e36599e66e59..89b1d6ce8759a3a657c63a26253615bef2b125fb 100644
--- a/core/Piwik.php
+++ b/core/Piwik.php
@@ -394,12 +394,7 @@ class Piwik
*/
public static function isUserHasSomeAdminAccess()
{
- try {
- self::checkUserHasSomeAdminAccess();
- return true;
- } catch (Exception $e) {
- return false;
- }
+ return Access::getInstance()->isUserHasSomeAdminAccess();
}
/**
diff --git a/plugins/UsersManager/.gitignore b/plugins/UsersManager/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..c8c9480010db494b8cf54ca8f9561e7a14ff51ea
--- /dev/null
+++ b/plugins/UsersManager/.gitignore
@@ -0,0 +1 @@
+tests/System/processed/*xml
\ No newline at end of file
diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php
index 036f77b6bfba89435e03d30b53298fdcfbecc783..ec900ff65dc0ccdb9234c634e6fdbe9565094bbe 100644
--- a/plugins/UsersManager/API.php
+++ b/plugins/UsersManager/API.php
@@ -40,14 +40,20 @@ class API extends \Piwik\Plugin\API
*/
private $model;
+ /**
+ * @var UserAccessFilter
+ */
+ private $userFilter;
+
const PREFERENCE_DEFAULT_REPORT = 'defaultReport';
const PREFERENCE_DEFAULT_REPORT_DATE = 'defaultReportDate';
private static $instance = null;
- public function __construct(Model $model)
+ public function __construct(Model $model, UserAccessFilter $filter)
{
$this->model = $model;
+ $this->userFilter = $filter;
}
/**
@@ -201,6 +207,7 @@ class API extends \Piwik\Plugin\API
}
$users = $this->model->getUsers($logins);
+ $users = $this->userFilter->filterUsers($users);
// Non Super user can only access login & alias
if (!Piwik::hasUserSuperUserAccess()) {
@@ -221,7 +228,10 @@ class API extends \Piwik\Plugin\API
{
Piwik::checkUserHasSomeAdminAccess();
- return $this->model->getUsersLogin();
+ $logins = $this->model->getUsersLogin();
+ $logins = $this->userFilter->filterLogins($logins);
+
+ return $logins;
}
/**
@@ -244,7 +254,10 @@ class API extends \Piwik\Plugin\API
$this->checkAccessType($access);
- return $this->model->getUsersSitesFromAccess($access);
+ $userSites = $this->model->getUsersSitesFromAccess($access);
+ $userSites = $this->userFilter->filterLoginIndexedArray($userSites);
+
+ return $userSites;
}
/**
@@ -266,7 +279,10 @@ class API extends \Piwik\Plugin\API
{
Piwik::checkUserHasAdminAccess($idSite);
- return $this->model->getUsersAccessFromSite($idSite);
+ $usersAccess = $this->model->getUsersAccessFromSite($idSite);
+ $usersAccess = $this->userFilter->filterLoginIndexedArray($usersAccess);
+
+ return $usersAccess;
}
public function getUsersWithSiteAccess($idSite, $access)
@@ -280,6 +296,7 @@ class API extends \Piwik\Plugin\API
return array();
}
+ $logins = $this->userFilter->filterLogins($logins);
$logins = implode(',', $logins);
return $this->getUsers($logins);
@@ -336,7 +353,9 @@ class API extends \Piwik\Plugin\API
Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin);
$this->checkUserExists($userLogin);
- return $this->model->getUser($userLogin);
+ $user = $this->model->getUser($userLogin);
+
+ return $this->userFilter->filterUser($user);
}
/**
@@ -351,7 +370,9 @@ class API extends \Piwik\Plugin\API
Piwik::checkUserHasSuperUserAccess();
$this->checkUserEmailExists($userEmail);
- return $this->model->getUserByEmail($userEmail);
+ $user = $this->model->getUserByEmail($userEmail);
+
+ return $this->userFilter->filterUser($user);
}
private function checkLogin($userLogin)
@@ -485,6 +506,9 @@ class API extends \Piwik\Plugin\API
unset($user['token_auth']);
}
+ // we do not filter these users by access and return them all since we need to print this information in the
+ // UI and they are allowed to see this.
+
return $users;
}
@@ -607,10 +631,32 @@ class API extends \Piwik\Plugin\API
public function userEmailExists($userEmail)
{
Piwik::checkUserIsNotAnonymous();
+ Piwik::checkUserHasSomeViewAccess();
return $this->model->userEmailExists($userEmail);
}
+ /**
+ * Returns the first login name of an existing user that has the given email address. If no user can be found for
+ * this user an error will be returned.
+ *
+ * @param string $userEmail
+ * @return bool true if the user is known
+ */
+ public function getUserLoginFromUserEmail($userEmail)
+ {
+ Piwik::checkUserIsNotAnonymous();
+ Piwik::checkUserHasSomeAdminAccess();
+
+ $this->checkUserEmailExists($userEmail);
+
+ $user = $this->model->getUserByEmail($userEmail);
+
+ // any user with some admin access is allowed to find any user by email, no need to filter by access here
+
+ return $user['login'];
+ }
+
/**
* Set an access level to a given user for a list of websites ID.
*
diff --git a/plugins/UsersManager/Controller.php b/plugins/UsersManager/Controller.php
index 37e13fcefab24f7d3cb0d9c85abe0c1d30944aa2..e14a7834515191c4d962b6b401e124d96a266eeb 100644
--- a/plugins/UsersManager/Controller.php
+++ b/plugins/UsersManager/Controller.php
@@ -9,6 +9,7 @@
namespace Piwik\Plugins\UsersManager;
use Exception;
+use Piwik\Access;
use Piwik\API\Request;
use Piwik\API\ResponseBuilder;
use Piwik\Common;
@@ -123,6 +124,7 @@ class Controller extends ControllerAdmin
}
}
+ $view->hasOnlyAdminAccess = Piwik::isUserHasSomeAdminAccess() && !Piwik::hasUserSuperUserAccess();
$view->anonymousHasViewAccess = $this->hasAnonymousUserViewAccess($usersAccessByWebsite);
$view->idSiteSelected = $idSiteSelected;
$view->defaultReportSiteName = $defaultReportSiteName;
diff --git a/plugins/UsersManager/UserAccessFilter.php b/plugins/UsersManager/UserAccessFilter.php
new file mode 100644
index 0000000000000000000000000000000000000000..20fd671aa3cf05b5cb1ec0693c76925673917e59
--- /dev/null
+++ b/plugins/UsersManager/UserAccessFilter.php
@@ -0,0 +1,183 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ *
+ */
+namespace Piwik\Plugins\UsersManager;
+
+use Piwik\Access;
+
+/**
+ * This class offers methods to filter a list of users, logins, or anything that is related to users/logins.
+ *
+ * * By default a super user is allowed to see all users.
+ * * A user having admin access is allowed to see all other users that have view or admin access to the same access.
+ * * A user not having any admin access is only allowed to see the own user.
+ *
+ * The methods in this class make sure to only return the data for logins / users the current user actually has
+ * permission to see.
+ *
+ * FYI: The anonymous user is not treated in any special way. The anonymous user is a regular user with no access or
+ * view access only and can only see itself.
+ */
+class UserAccessFilter
+{
+ /**
+ * @var Model
+ */
+ private $model;
+
+ /**
+ * @var Access
+ */
+ private $access;
+
+ /**
+ * Holds a list of all idSites the current user has view access to. Only used for caching.
+ * @var array
+ */
+ private $idSitesWithAdmin;
+
+ /**
+ * Holds a list of all user logins that have admin access. Only used for caching
+ * @var array Array ('loginName' => array(idsites...))
+ */
+ private $usersWithAdminAccess;
+
+ /**
+ * Holds a list of all user logins that have view access. Only used for caching
+ * @var array Array ('loginName' => array(idsites...))
+ */
+ private $usersWithViewAccess;
+
+ public function __construct(Model $model, Access $access)
+ {
+ $this->model = $model;
+ $this->access = $access;
+ }
+
+ /**
+ * Removes all array values where the current user has no permission to see the existence of a given login index/key.
+ * @param array $arrayIndexedByLogin An array that is indexed by login / usernames. Eg:
+ * array('username1' => 5, 'username2' => array(...), ...)
+ * @return array
+ */
+ public function filterLoginIndexedArray($arrayIndexedByLogin)
+ {
+ if ($this->access->hasSuperUserAccess()) {
+ return $arrayIndexedByLogin; // this part is not needed but makes it faster for super user.
+ }
+
+ $allowedLogins = $this->filterLogins(array_keys($arrayIndexedByLogin));
+
+ return array_intersect_key($arrayIndexedByLogin, array_flip($allowedLogins));
+ }
+
+ /**
+ * Removes all users from the list of the given users where the current user has no permission to see the existence
+ * of that other user.
+ * @param array $users An array of arrays. Each inner array must have a key 'login'. Eg:
+ * array(array('login' => 'username1'), array('login' => 'username2'), ...)
+ * @return array
+ */
+ public function filterUsers($users)
+ {
+ if ($this->access->hasSuperUserAccess()) {
+ return $users;
+ }
+
+ if (!$this->access->isUserHasSomeAdminAccess()) {
+ // keep only own user if it is in the list
+ foreach ($users as $user) {
+ if ($this->isOwnLogin($user['login'])) {
+ return array($user);
+ }
+ }
+
+ return array();
+ }
+
+ foreach ($users as $index => $user) {
+ if (!$this->isNonSuperUserAllowedToSeeThisLogin($user['login'])) {
+ unset($users[$index]);
+ }
+ }
+
+ return array_values($users);
+ }
+
+ /**
+ * Returns the given user only if the current user has permission to see the given user
+ * @param array $user An array containing a key 'login'
+ * @return bool
+ */
+ public function filterUser($user)
+ {
+ if ($this->access->hasSuperUserAccess() || $this->isNonSuperUserAllowedToSeeThisLogin($user['login'])) {
+ return $user;
+ }
+ }
+
+ /**
+ * Removes all logins from the list of logins where the current user has no permission to see them.
+ *
+ * @param string[] $logins An array of logins / usernames. Eg array('username1', 'username2')
+ * @return array
+ */
+ public function filterLogins($logins)
+ {
+ if ($this->access->hasSuperUserAccess()) {
+ return $logins;
+ }
+
+ if (!$this->access->isUserHasSomeAdminAccess()) {
+ // keep only own user if it is in the list
+ foreach ($logins as $login) {
+ if ($this->isOwnLogin($login)) {
+ return array($login);
+ }
+ }
+
+ return array();
+ }
+
+ foreach ($logins as $index => $login) {
+ if (!$this->isNonSuperUserAllowedToSeeThisLogin($login)) {
+ unset($logins[$index]);
+ }
+ }
+
+ return array_values($logins);
+ }
+
+ protected function isNonSuperUserAllowedToSeeThisLogin($login)
+ {
+ // we do not test for super user access here for better performance as we would otherwise test for access for
+ // each single login in the other calling methods.
+ return $this->hasAccessToSameSite($login) || $this->isOwnLogin($login);
+ }
+
+ private function isOwnLogin($login)
+ {
+ return $login === $this->access->getLogin();
+ }
+
+ private function hasAccessToSameSite($login)
+ {
+ // users is allowed to see other users having view or admin access to these sites
+ if (!isset($this->idSitesWithAdmin)) {
+ $this->idSitesWithAdmin = $this->access->getSitesIdWithAdminAccess();
+ $this->usersWithAdminAccess = $this->model->getUsersSitesFromAccess('admin');
+ $this->usersWithViewAccess = $this->model->getUsersSitesFromAccess('view');
+ }
+
+ return (
+ (isset($this->usersWithViewAccess[$login]) && array_intersect($this->idSitesWithAdmin, $this->usersWithViewAccess[$login]))
+ ||
+ (isset($this->usersWithAdminAccess[$login]) && array_intersect($this->idSitesWithAdmin, $this->usersWithAdminAccess[$login]))
+ );
+ }
+}
diff --git a/plugins/UsersManager/UsersManager.php b/plugins/UsersManager/UsersManager.php
index 340f081b5f550f69c033ff998cb6ff1465cf1b31..344faf107a25cb6ef3f670882c169d7817bcb4ef 100644
--- a/plugins/UsersManager/UsersManager.php
+++ b/plugins/UsersManager/UsersManager.php
@@ -94,6 +94,7 @@ class UsersManager extends \Piwik\Plugin
{
$jsFiles[] = "plugins/UsersManager/javascripts/usersManager.js";
$jsFiles[] = "plugins/UsersManager/javascripts/usersSettings.js";
+ $jsFiles[] = "plugins/UsersManager/javascripts/giveViewAccess.js";
}
/**
@@ -165,5 +166,7 @@ class UsersManager extends \Piwik\Plugin
$translationKeys[] = "UsersManager_ConfirmGrantSuperUserAccess";
$translationKeys[] = "UsersManager_ConfirmProhibitOtherUsersSuperUserAccess";
$translationKeys[] = "UsersManager_ConfirmProhibitMySuperUserAccess";
+ $translationKeys[] = "UsersManager_ExceptionUserHasViewAccessAlready";
+ $translationKeys[] = "UsersManager_ExceptionNoValueForUsernameOrEmail";
}
}
diff --git a/plugins/UsersManager/javascripts/giveViewAccess.js b/plugins/UsersManager/javascripts/giveViewAccess.js
new file mode 100644
index 0000000000000000000000000000000000000000..91300547c7cb95cb3b07e39878c96277031862d7
--- /dev/null
+++ b/plugins/UsersManager/javascripts/giveViewAccess.js
@@ -0,0 +1,169 @@
+/*!
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+$(document).ready(function () {
+
+ function hideLoading()
+ {
+ $('#giveUserAccessToViewReports').prop('disabled', false);
+ $('#ajaxLoadingGiveViewAccess').hide();
+ }
+
+ function showLoading()
+ {
+ $('#giveUserAccessToViewReports').prop('disabled', true);
+ $('#ajaxLoadingGiveViewAccess').show();
+ }
+
+ function showErrorNotification(errorMessage)
+ {
+ var placeAt = '#ajaxErrorGiveViewAccess';
+ $(placeAt).show();
+
+ var UI = require('piwik/UI');
+ var notification = new UI.Notification();
+ notification.show(errorMessage, {
+ placeat: placeAt,
+ context: 'error',
+ id: 'ajaxHelper',
+ type: null
+ });
+ notification.scrollToNotification();
+ hideLoading();
+ }
+
+ function createNewAjaxHelper()
+ {
+ var ajaxHandler = new ajaxHelper();
+ ajaxHandler.setCompleteCallback(function (xhr, status) {
+ if (xhr &&
+ xhr.responseJSON &&
+ xhr.responseJSON.message &&
+ xhr.responseJSON.result &&
+ xhr.responseJSON.result == 'error') {
+ hideLoading();
+ }
+ if (status && String(status).toLowerCase() !== 'sucess') {
+ hideLoading();
+ }
+ });
+ ajaxHandler.addParams({
+ module: 'API',
+ format: 'json'
+ }, 'GET');
+ ajaxHandler.setErrorElement('#ajaxErrorGiveViewAccess');
+
+ return ajaxHandler;
+ }
+
+ function sendViewAccess(userLogin)
+ {
+ sendUpdateUserAccess(userLogin, 'view', function () { window.location.reload(); });
+ setTimeout(hideLoading, 250);
+ // we hide loading after a bit since we cannot influence the ajax request in case of any error
+ }
+
+ function setViewAccessForUserToAllWebsitesIfUserConfirms(userLogin)
+ {
+ // ask confirmation
+ $('#confirm').find('#login').text(userLogin);
+
+ function onValidate() {
+ sendViewAccess(userLogin);
+ }
+
+ piwikHelper.modalConfirm('#confirm', {yes: onValidate, no: hideLoading})
+ }
+
+ function setViewAccessForUserIfNotAlreadyHasAccess(userLogin, idSites)
+ {
+ var ajaxHandler = createNewAjaxHelper();
+ ajaxHandler.addParams({
+ method: 'UsersManager.getUsersAccessFromSite',
+ userLogin: userLogin,
+ idSite: idSites
+ }, 'GET');
+ ajaxHandler.setCallback(function (users) {
+ if (users && users[0] && users[0][userLogin]) {
+ showErrorNotification(_pk_translate('UsersManager_ExceptionUserHasViewAccessAlready'));
+ } else {
+ sendViewAccess(userLogin);
+ }
+
+ });
+ ajaxHandler.send();
+ }
+
+ function ifUserExists(usernameOrEmail, callback)
+ {
+ var ajaxHandler = createNewAjaxHelper();
+ ajaxHandler.addParams({
+ method: 'UsersManager.userExists',
+ userLogin: usernameOrEmail,
+ }, 'GET');
+ ajaxHandler.setCallback(callback);
+ ajaxHandler.send();
+ }
+
+ function getUsernameFromEmail(usernameOrEmail, callback)
+ {
+ var ajaxHandler = createNewAjaxHelper();
+ ajaxHandler.addParams({
+ method: 'UsersManager.getUserLoginFromUserEmail',
+ userEmail: usernameOrEmail,
+ }, 'GET');
+ ajaxHandler.setCallback(callback);
+ ajaxHandler.send();
+ }
+
+ function giveViewAccessToUser(userLogin)
+ {
+ var idSites = getIdSites();
+
+ if (idSites === 'all') {
+ setViewAccessForUserToAllWebsitesIfUserConfirms(userLogin);
+ } else {
+ setViewAccessForUserIfNotAlreadyHasAccess(userLogin, idSites);
+ }
+ }
+
+ $('#showGiveViewAccessForm').click(function () {
+ $('#giveViewAccessForm').toggle()
+ });
+
+ $('#giveViewAccessForm #user_invite').keypress(function (e) {
+ var key = e.keyCode || e.which;
+ if (key == 13) {
+ $('#giveViewAccessForm #giveUserAccessToViewReports').click();
+ }
+ });
+
+ $('#giveViewAccessForm #giveUserAccessToViewReports').click(function () {
+ showLoading();
+
+ var usernameOrEmail = $('#user_invite').val();
+
+ if (!usernameOrEmail) {
+ showErrorNotification(_pk_translate('UsersManager_ExceptionNoValueForUsernameOrEmail'));
+ return;
+ }
+
+ ifUserExists(usernameOrEmail, function (isUserName) {
+ if (isUserName && isUserName.value) {
+ giveViewAccessToUser(usernameOrEmail);
+ } else {
+ getUsernameFromEmail(usernameOrEmail, function (login) {
+ if (login && login.value) {
+ giveViewAccessToUser(login.value);
+ } else {
+ hideLoading();
+ }
+ });
+ }
+ });
+ });
+});
diff --git a/plugins/UsersManager/javascripts/usersManager.js b/plugins/UsersManager/javascripts/usersManager.js
index c0aaeb9bf2fa1569cb581b5f81cb700c8964e4a6..eb0452013cfbeb338e7253bbf590272bfacc2833 100644
--- a/plugins/UsersManager/javascripts/usersManager.js
+++ b/plugins/UsersManager/javascripts/usersManager.js
@@ -292,8 +292,7 @@ $(document).ready(function () {
});
});
- $('#access .updateAccess')
- .click(bindUpdateAccess);
+ $('#access .updateAccess').click(bindUpdateAccess);
$('#superUserAccess .accessGranted, #superUserAccess .updateAccess').click(bindUpdateSuperUserAccess);
diff --git a/plugins/UsersManager/lang/en.json b/plugins/UsersManager/lang/en.json
index 522039c459db1dade6b617c258acb2a9dc9f0027..144b66ec03a59bf89192a029a3271c00c85a9ace 100644
--- a/plugins/UsersManager/lang/en.json
+++ b/plugins/UsersManager/lang/en.json
@@ -17,6 +17,7 @@
"DeleteConfirm": "Are you sure you want to delete the user %s?",
"Email": "Email",
"EmailYourAdministrator": "%1$sE-mail your administrator about this problem%2$s.",
+ "EnterUsernameOrEmail": "Enter a username or email address",
"ExceptionAccessValues": "The parameter access must have one of the following values: [ %s ]",
"ExceptionAdminAnonymous": "You cannot grant 'admin' access to the 'anonymous' user.",
"ExceptionDeleteDoesNotExist": "User '%s' doesn't exist therefore it can't be deleted.",
@@ -32,8 +33,13 @@
"ExceptionSuperUserAccess": "This user has Super User access and has already permission to access and modify all websites in Piwik. You may remove the Super User access from this user and try again.",
"ExceptionUserDoesNotExist": "User '%s' doesn't exist.",
"ExceptionYouMustGrantSuperUserAccessFirst": "There has to be at least one user with Super User access. Please grant Super User access to another user first.",
+ "ExceptionUserHasViewAccessAlready": "This user has access to this website already.",
+ "ExceptionNoValueForUsernameOrEmail": "Please enter a username or email address.",
"ExcludeVisitsViaCookie": "Exclude your visits using a cookie",
"ForAnonymousUsersReportDateToLoadByDefault": "For anonymous users, report date to load by default",
+ "GiveViewAccess": "Give view access",
+ "GiveViewAccessTitle": "Give an existing user access to view reports for %s",
+ "GiveViewAccessInstructions": "To give an existing user view access for %s enter the username or email address of an existing user",
"IfYouWouldLikeToChangeThePasswordTypeANewOne": "If you would like to change the password type a new one. Otherwise leave this blank.",
"InjectedHostCannotChangePwd": "You are currently visiting with an unknown host (%1$s). You cannot change your password until this problem is fixed.",
"LastSeen": "Last seen",
diff --git a/plugins/UsersManager/stylesheets/usersManager.less b/plugins/UsersManager/stylesheets/usersManager.less
index 949ea61d2dc70d32863ee5cfc6e1ace6f729bc2f..330e8569d75f6ec4a034cd5eff0c7746210cfb9a 100644
--- a/plugins/UsersManager/stylesheets/usersManager.less
+++ b/plugins/UsersManager/stylesheets/usersManager.less
@@ -42,4 +42,17 @@
.old-ie #sites.usersManager .sites_selector_title {
height: 30px;
-}
\ No newline at end of file
+}
+
+#showGiveViewAccessForm {
+ text-align: left;
+}
+
+#giveViewAccessForm {
+ display: none;
+ margin-left: 30px;
+
+ #user_invite {
+ min-width: 300px;
+ }
+}
diff --git a/plugins/UsersManager/templates/index.twig b/plugins/UsersManager/templates/index.twig
index 6bf12d01e02af0dedd05f1359869031957cdb629..9ce934ec181975acb97fa950b2435cb21ce0a6e3 100644
--- a/plugins/UsersManager/templates/index.twig
+++ b/plugins/UsersManager/templates/index.twig
@@ -55,6 +55,7 @@
{% set accesInvalid %}<img src='plugins/UsersManager/images/no-access.png' class='updateAccess' />{% endset %}
{% set superUserAccess %}<span title="{{ 'UsersManager_ExceptionSuperUserAccess'|translate }}">N/A</span>{% endset %}
{% for login,access in usersAccessByWebsite %}
+ {% if userIsSuperUser or (hasOnlyAdminAccess and access!='noaccess') %}
<tr>
<td id='login'>{{ login }}</td>
<td>{{ usersAliasByLogin[login]|raw }}</td>
@@ -84,12 +85,34 @@
{% endif %}
</td>
</tr>
+ {% endif %}
{% endfor %}
</tbody>
</table>
<div id="accessUpdated" style="vertical-align:top;"></div>
</div>
+{% if hasOnlyAdminAccess %}
+ <p>
+ <button id="showGiveViewAccessForm" class="add-user btn btn-lg btn-flat">
+ <span class="icon-add"></span>
+ {{ 'UsersManager_GiveViewAccessTitle'|translate('"' ~ defaultReportSiteName ~ '"') }}
+ </button>
+ </p>
+ <form id="giveViewAccessForm">
+ <div class="form-group">
+ <input type="text" name="user_invite"
+ id="user_invite"
+ placeholder="{{ 'UsersManager_EnterUsernameOrEmail'|translate|e('html_attr') }}"
+ title="{{ 'UsersManager_GiveViewAccessInstructions'|translate("'" ~ defaultReportSiteName ~ "'")|e('html_attr') }}">
+ </div>
+
+ <input class="btn" type="button" id="giveUserAccessToViewReports" value="{{ 'UsersManager_GiveViewAccess'|translate|e('html_attr') }}">
+ </form>
+ {{ ajax.errorDiv('ajaxErrorGiveViewAccess') }}
+ {{ ajax.loadingDiv('ajaxLoadingGiveViewAccess') }}
+{% endif %}
+
<div class="ui-confirm" id="confirm">
<h2>{{ 'UsersManager_ChangeAllConfirm'|translate("<span id='login'></span>")|raw }}</h2>
<input role="yes" type="button" value="{{ 'General_Yes'|translate }}"/>
diff --git a/plugins/UsersManager/tests/Fixtures/ManyUsers.php b/plugins/UsersManager/tests/Fixtures/ManyUsers.php
new file mode 100644
index 0000000000000000000000000000000000000000..b92be230f5c6c6354fd2c0dab48abf95f776afe8
--- /dev/null
+++ b/plugins/UsersManager/tests/Fixtures/ManyUsers.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+namespace Piwik\Plugins\UsersManager\tests\Fixtures;
+
+use Piwik\Plugins\UsersManager\API;
+use Piwik\Tests\Framework\Fixture;
+
+/**
+ * Generates tracker testing data for our APITest
+ *
+ * This Simple fixture adds one website and tracks one visit with couple pageviews and an ecommerce conversion
+ */
+class ManyUsers extends Fixture
+{
+ public $dateTime = '2013-01-23 01:23:45';
+ public $idSite = 1;
+
+ public $users = array(
+ 'login1' => array(),
+ 'login2' => array('view' => array(1,3,5), 'admin' => array(2,6)),
+ 'login3' => array('view' => array(), 'admin' => array()), // no access to any site
+ 'login4' => array('view' => array(6), 'admin' => array()), // only access to one with view
+ 'login5' => array('view' => array(), 'admin' => array(3)), // only access to one with admin
+ 'login6' => array('view' => array(), 'admin' => array(6,3)), // access to a couple of sites with admin
+ 'login7' => array('view' => array(2,1,6,3), 'admin' => array()), // access to a couple of sites with view
+ 'login8' => array('view' => array(4,7), 'admin' => array(2,5)), // access to a couple of sites with admin and view
+ );
+
+ public function setUp()
+ {
+ $this->setUpWebsite();
+ $this->setUpUsers();
+ }
+
+ public function tearDown()
+ {
+ // empty
+ }
+
+ private function setUpWebsite()
+ {
+ foreach (range(1,7) as $idSite) {
+ Fixture::createWebsite('2010-01-01 00:00:00');
+ }
+ }
+
+ protected function setUpUsers()
+ {
+ $api = API::getInstance();
+ foreach ($this->users as $login => $permissions) {
+ $api->addUser($login, 'password', $login . '@example.com');
+ foreach ($permissions as $access => $idSites) {
+ if (!empty($idSites)) {
+ $api->setUserAccess($login, $access, $idSites);
+ }
+ }
+ $user = $api->getUser($login);
+ $this->users[$login]['token'] = $user['token_auth'];
+ }
+
+ $api->setSuperUserAccess('login1', true);
+ }
+
+}
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php b/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..74ce4e09dfce7dc394b5f29c91274df6483c8700
--- /dev/null
+++ b/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php
@@ -0,0 +1,322 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\tests\Integration;
+
+use Piwik\Access;
+use Piwik\Plugins\UsersManager\Model;
+use Piwik\Plugins\UsersManager\UserAccessFilter;
+use Piwik\Tests\Framework\Fixture;
+use Piwik\Tests\Framework\Mock\FakeAccess;
+use Piwik\Tests\Framework\TestCase\IntegrationTestCase;
+
+class TestUserAccessFilter extends UserAccessFilter {
+
+ public function isNonSuperUserAllowedToSeeThisLogin($login)
+ {
+ return parent::isNonSuperUserAllowedToSeeThisLogin($login);
+ }
+}
+
+/**
+ * @group UsersManager
+ * @group UserAccessFilterTest
+ * @group UserAccessFilter
+ * @group Plugins
+ */
+class UserAccessFilterTest extends IntegrationTestCase
+{
+ /**
+ * @var Model
+ */
+ private $model;
+
+ /**
+ * @var Access
+ */
+ private $access;
+
+ /**
+ * @var TestUserAccessFilter
+ */
+ private $filter;
+
+ private $users = array(
+ 'login2' => array('view' => array(1,3,5), 'admin' => array(2,6)),
+ 'login3' => array('view' => array(), 'admin' => array()), // no access to any site
+ 'login4' => array('view' => array(6), 'admin' => array()), // only access to one with view
+ 'login5' => array('view' => array(), 'admin' => array(3)), // only access to one with admin
+ 'login6' => array('view' => array(), 'admin' => array(6,3)), // access to a couple of sites with admin
+ 'login7' => array('view' => array(2,1,6,3), 'admin' => array()), // access to a couple of sites with view
+ 'login8' => array('view' => array(4,7), 'admin' => array(2,5)), // access to a couple of sites with admin and view
+ );
+
+ public function setUp()
+ {
+ parent::setUp();
+
+ // set up your test here if needed
+ $this->model = new Model();
+ $this->access = new FakeAccess();
+
+ $this->createManyWebsites();
+ $this->createManyUsers();
+ FakeAccess::clearAccess();
+
+ $this->filter = new TestUserAccessFilter($this->model, $this->access);
+ }
+
+ public function test_filterUser_WithSuperUserAccess_ShouldAlwaysReturnTrue()
+ {
+ $this->configureAcccessForLogin('login1');
+ foreach ($this->getAllLogins() as $login) {
+ $this->assertSame(array('login' => $login), $this->filter->filterUser(array('login' => $login)));
+ }
+ }
+
+ public function test_filterUser_WithViewUserAccess_ShouldOnlyReturnUserForOwnLogin()
+ {
+ $identity = 'login4';
+ $this->configureAcccessForLogin($identity);
+ $this->assertSame(array('login' => $identity), $this->filter->filterUser(array('login' => $identity)));
+ foreach ($this->getAllLogins() as $login) {
+ if ($login !== $identity) {
+ $this->assertNull($this->filter->filterUser(array('login' => $login)));
+ }
+ }
+ }
+
+ /**
+ * @dataProvider getIsUserAllowedToSeeThisLoginWithAdminAccess
+ */
+ public function test_filterUser_WithAdminAccess_ShouldOnlyReturnUserForOwnLogin($expectedAllowed, $loginToSee)
+ {
+ $this->configureAcccessForLogin('login2');
+ if ($expectedAllowed) {
+ $this->assertSame(array('login' => $loginToSee), $this->filter->filterUser(array('login' => $loginToSee)));
+ } else {
+ $this->assertSame(null, $this->filter->filterUser(array('login' => $loginToSee)));
+ }
+ }
+
+ /**
+ * @dataProvider getIsUserAllowedToSeeThisLoginWithAdminAccess
+ */
+ public function test_isNonSuperUserAllowedToSeeThisLogin_WithAdminAccess_IsAllowedToSeeAnyUserHavingAccessToSameAdminSites($expectedAllowed, $loginToSee)
+ {
+ $this->configureAcccessForLogin('login2');
+ $this->assertSame($expectedAllowed, $this->filter->isNonSuperUserAllowedToSeeThisLogin($loginToSee));
+ }
+
+ public function getIsUserAllowedToSeeThisLoginWithAdminAccess()
+ {
+ return array(
+ array($expectedAllowed = false, 'login1'), // not allowed to see this user as it has super user access
+ array($expectedAllowed = true, 'login2'), // it is the own user so visible anyway
+ array($expectedAllowed = false, 'login3'), // not allowed to see this user as this one does not have access to any site
+ array($expectedAllowed = true, 'login4'),
+ array($expectedAllowed = false, 'login5'), // this user doesn't share any site id where the user has admin access
+ array($expectedAllowed = true, 'login6'),
+ array($expectedAllowed = true, 'login7'),
+ array($expectedAllowed = true, 'login8'),
+ );
+ }
+
+ public function test_isNonSuperUserAllowedToSeeThisLogin_WithAdminAccess_IsAllowedToSeeAnyUserHavingAccessToSameAdminSites_UserHasAccessToOnlyOneAdminSite()
+ {
+ $this->configureAcccessForLogin('login5');
+
+ $this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login2'));
+ $this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login5'));
+ $this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login7'));
+ $this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login6'));
+
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login1')); // a user having view access only is not allowed to see any other user
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login3'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login4'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login8'));
+ }
+
+ public function test_isNonSuperUserAllowedToSeeThisLogin_WithOnlyViewAccess_IsAllowedToSeeOnlyOwnUser()
+ {
+ $this->configureAcccessForLogin('login7');
+ $this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login7')); // a view user is allowed to see itself
+
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login1')); // a user having view access only is not allowed to see any other user
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login2'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login3'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login4'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login5'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login6'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login8'));
+ }
+
+ public function test_isNonSuperUserAllowedToSeeThisLogin_WithNoAccess_IsStillAllowedToSeeAnyUser()
+ {
+ $this->configureAcccessForLogin('login3');
+ $this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login3')); // a view user is allowed to see itself
+
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login1'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login2'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login4'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login5'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login7'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login6'));
+ $this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login8'));
+ }
+
+ /**
+ * @dataProvider getTestFilterLogins
+ */
+ public function test_filterLogins($expectedLogins, $loginIdentity, $logins)
+ {
+ $this->configureAcccessForLogin($loginIdentity);
+ $this->assertSame($expectedLogins, $this->filter->filterLogins($logins)); // a view user is allowed to see itself
+ }
+
+ /**
+ * @dataProvider getTestFilterLogins
+ */
+ public function test_filterUsers($expectedLogins, $loginIdentity, $logins)
+ {
+ $this->configureAcccessForLogin($loginIdentity);
+
+ $users = array();
+ $expectedUsers = array();
+
+ foreach ($logins as $login) {
+ $user = array('login' => $login, 'alias' => 'test', 'password' => md5('pass'));
+
+ $users[] = $user;
+ if (in_array($login, $expectedLogins)) {
+ $expectedUsers[] = $user;
+ }
+ }
+
+ $this->assertSame($expectedUsers, $this->filter->filterUsers($users)); // a view user is allowed to see itself
+ }
+
+ /**
+ * @dataProvider getTestFilterLogins
+ */
+ public function test_filterLoginIndexedArray($expectedLogins, $loginIdentity, $logins)
+ {
+ $this->configureAcccessForLogin($loginIdentity);
+
+ $testArray = array();
+ $expectedTestArray = array();
+
+ foreach ($logins as $login) {
+ $anything = array('foo' . $login);
+
+ $users[$login] = $anything;
+
+ if (in_array($login, $expectedLogins)) {
+ $expectedUsers[$login] = $anything;
+ }
+ }
+
+ $this->assertSame($expectedTestArray, $this->filter->filterLoginIndexedArray($testArray)); // a view user is allowed to see itself
+ }
+
+ public function getTestFilterLogins()
+ {
+ return array(
+ array($expectedLogins = $this->getAllLogins(), $identity = 'login1', $this->getAllLogins()), // a super user is allowed to see all logins
+ array($expectedLogins = array('login2', 'foobar'), $identity = 'login1', array('login2', 'foobar')), // for super users we do not even check if they actually exist
+ array($expectedLogins = $this->buildLogins(array(2,4)), $identity = 'login2', array('login2', 'foobar', 'login4', 'login3')), // should remove logins that do not actually exist when user has admin permission
+ array($expectedLogins = $this->buildLogins(array(2,4,6,7,8)), $identity = 'login2', $this->getAllLogins()), // an admin user can see users having access to the admin sites
+ array($expectedLogins = $this->buildLogins(array(3)), $identity = 'login3', $this->getAllLogins()), // a user with no access to any site can only see itself
+ array($expectedLogins = array('foobar'), $identity = 'foobar', array('foobar')), // doesn't check whether user exists when not having access to any site and user doesn't actually exist
+ array($expectedLogins = $this->buildLogins(array(4)), $identity = 'login4', $this->getAllLogins()), // a user with only view access to a site can only see itself
+ array($expectedLogins = $this->buildLogins(array(2,5,6,7)), $identity = 'login5', $this->getAllLogins()), // has access to one admin site
+ array($expectedLogins = $this->buildLogins(array(2,4,5,6,7)), $identity = 'login6', $this->getAllLogins()), // has access to multiple admin sites
+ array($expectedLogins = $this->buildLogins(array(7)), $identity = 'login7', $this->getAllLogins()), // has only access to multiple view sites
+ array($expectedLogins = $this->buildLogins(array(2,7,8)), $identity = 'login8', $this->getAllLogins()), // a user with only view access to a site can only see itself
+ array($expectedLogins = array(), $identity = 'login1', array()), // no users given, should return empty array for user with super user access
+ array($expectedLogins = array(), $identity = 'login2', array()), // no users given, should return empty array for user with admin access
+ array($expectedLogins = array(), $identity = 'login3', array()), // no users given, should return empty array for user with no access
+ array($expectedLogins = array(), $identity = 'login4', array()), // no users given, should return empty array for user with only view access
+ array($expectedLogins = array('anonymous'), $identity = 'anonymous', array('anonymous')), // anonymous user can see itself
+ );
+ }
+
+ public function test_getAllLogins_shouldBeUpToDate()
+ {
+ $this->assertSame($this->model->getUsersLogin(), $this->getAllLogins());
+ $this->assertNotEmpty($this->getAllLogins());
+ }
+
+ public function test_buildLogins()
+ {
+ $this->assertSame(array('login2', 'login3', 'login7'), $this->buildLogins(array(2,3,7)));
+ $this->assertSame(array(), $this->buildLogins(array()));
+ }
+
+ private function createManyWebsites()
+ {
+ for ($i = 0; $i < 10; $i++) {
+ Fixture::createWebsite('2014-01-01 00:00:00');
+ }
+ }
+
+ private function buildLogins($ids)
+ {
+ $logins = array();
+ foreach ($ids as $id) {
+ $logins[] = 'login' . $id;
+ }
+ return $logins;
+ }
+
+ private function getAllLogins()
+ {
+ $logins = $this->buildLogins(range(1,8));
+ array_unshift($logins, 'anonymous');
+ return $logins;
+ }
+
+ private function createManyUsers()
+ {
+ $this->model->addUser('login1', md5('pass'), 'email1@example.com', 'alias1', md5('token1'), '2008-01-01 00:00:00');
+ $this->model->addUser('login2', md5('pass'), 'email2@example.com', 'alias2', md5('token2'), '2008-01-01 00:00:00');
+ // login3 won't have access to any site
+ $this->model->addUser('login3', md5('pass'), 'email3@example.com', 'alias3', md5('token3'), '2008-01-01 00:00:00');
+ $this->model->addUser('login4', md5('pass'), 'email4@example.com', 'alias4', md5('token4'), '2008-01-01 00:00:00');
+ $this->model->addUser('login5', md5('pass'), 'email5@example.com', 'alias5', md5('token5'), '2008-01-01 00:00:00');
+ $this->model->addUser('login6', md5('pass'), 'email6@example.com', 'alias6', md5('token6'), '2008-01-01 00:00:00');
+ $this->model->addUser('login7', md5('pass'), 'email7@example.com', 'alias7', md5('token7'), '2008-01-01 00:00:00');
+ $this->model->addUser('login8', md5('pass'), 'email8@example.com', 'alias8', md5('token8'), '2008-01-01 00:00:00');
+ $this->model->addUser('anonymous', '', 'ano@example.com', 'anonymous', 'anonymous', '2008-01-01 00:00:00');
+
+ $this->model->setSuperUserAccess('login1', true); // we treat this one as our superuser
+
+ foreach ($this->users as $login => $permissions) {
+ foreach ($permissions as $access => $idSites) {
+ $this->model->addUserAccess($login, $access, $idSites);
+ }
+ }
+ }
+
+ private function configureAcccessForLogin($login)
+ {
+ $hasSuperUser = false;
+ $idSitesAdmin = array();
+ $idSitesView = array();
+
+ if ($login === 'login1') {
+ $hasSuperUser = true;
+ } elseif (isset($this->users[$login])) {
+ $idSitesAdmin = $this->users[$login]['admin'];
+ $idSitesView = $this->users[$login]['view'];
+ }
+
+ FakeAccess::clearAccess($hasSuperUser, $idSitesAdmin, $idSitesView, $login);
+ }
+
+}
diff --git a/plugins/UsersManager/tests/Integration/UsersManagerTest.php b/plugins/UsersManager/tests/Integration/UsersManagerTest.php
index 391ba8dab24094824170b4ef324f71f3918fcb9b..4b4dfb6fa7e2309d16d5ae7679b8b118d166656b 100644
--- a/plugins/UsersManager/tests/Integration/UsersManagerTest.php
+++ b/plugins/UsersManager/tests/Integration/UsersManagerTest.php
@@ -378,6 +378,21 @@ class UsersManagerTest extends IntegrationTestCase
$this->assertEquals(array($user1, $user2), $this->_removeNonTestableFieldsFromUsers($this->api->getUsers('gegg4564eqgeqag,geggeqge632ge56a4qag')));
}
+ /**
+ * @expectedException \Exception
+ * @expectedExceptionMessage checkUserHasSomeAdminAccess Fake exception
+ */
+ public function testGetUsers_withViewAccess_shouldThrowAnException()
+ {
+ $this->api->addUser("gegg4564eqgeqag", "geqgegagae", "tegst@tesgt.com", "alias");
+ $this->api->addUser("geggeqge632ge56a4qag", "geqgegeagae", "tesggt@tesgt.com", "alias");
+ $this->api->addUser("geggeqgeqagqegg", "geqgeaggggae", "tesgggt@tesgt.com");
+
+ FakeAccess::clearAccess($superUser = false, $admin = array(), $view = array(1), 'gegg4564eqgeqag');
+
+ $this->api->getUsers();
+ }
+
protected function _removeNonTestableFieldsFromUsers($users)
{
foreach ($users as &$user) {
@@ -401,6 +416,37 @@ class UsersManagerTest extends IntegrationTestCase
$this->assertEquals(array("gegg4564eqgeqag", "geggeqge632ge56a4qag", "geggeqgeqagqegg"), $logins);
}
+ public function testGetUserLoginFromUserEmail()
+ {
+ $this->api->addUser('gegg4564eqgeqag', 'geqgegagae', 'tegst@tesgt.com', 'alias');
+ $this->api->addUser("geggeqge632ge56a4qag", "geqgegeagae", "tesggt@tesgt.com", "alias");
+ $this->api->addUser("geggeqgeqagqegg", "geqgeaggggae", "tesgggt@tesgt.com");
+
+ $this->assertSame('gegg4564eqgeqag', $this->api->getUserLoginFromUserEmail('tegst@tesgt.com'));
+ $this->assertSame('geggeqge632ge56a4qag', $this->api->getUserLoginFromUserEmail('tesggt@tesgt.com'));
+ // test camel case should still find user
+ $this->assertSame('geggeqge632ge56a4qag', $this->api->getUserLoginFromUserEmail('teSGgT@tesgt.com'));
+ }
+
+ /**
+ * @expectedException \Exception
+ * @expectedExceptionMessage UsersManager_ExceptionUserDoesNotExist
+ */
+ public function testGetUserLoginFromUserEmail_shouldThrowException_IfUserDoesNotExist()
+ {
+ $this->api->getUserLoginFromUserEmail('unknownUser@teSsgt.com');
+ }
+
+ /**
+ * @expectedException \Exception
+ * @expectedExceptionMessage checkUserHasSomeAdminAccess Fake exception
+ */
+ public function testGetUserLoginFromUserEmail_shouldThrowException_IfUserDoesNotHaveAtLeastAdminPermission()
+ {
+ FakeAccess::clearAccess($superUser = false, $admin =array(), $view = array(1));
+ $this->api->getUserLoginFromUserEmail('tegst@tesgt.com');
+ }
+
/**
* @expectedException \Exception
* @expectedExceptionMessage UsersManager_ExceptionUserDoesNotExist
diff --git a/plugins/UsersManager/tests/System/ApiTest.php b/plugins/UsersManager/tests/System/ApiTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..7696c786b54dc536b2a969f50f310d04af50b87a
--- /dev/null
+++ b/plugins/UsersManager/tests/System/ApiTest.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\UsersManager\tests\System;
+
+use Piwik\Plugins\UsersManager\tests\Fixtures\ManyUsers;
+use Piwik\Tests\Framework\TestCase\SystemTestCase;
+
+/**
+ * @group UsersManager
+ * @group ApiTest
+ * @group Plugins
+ */
+class ApiTest extends SystemTestCase
+{
+ /**
+ * @var ManyUsers
+ */
+ public static $fixture = null; // initialized below class definition
+
+ /**
+ * @dataProvider getApiForTesting
+ */
+ public function testApi($api, $params = array())
+ {
+ $apiId = implode('_', $params);
+ $logins = array(
+ 'login1' => 'when_superuseraccess',
+ 'login2' => 'when_adminaccess',
+ 'login4' => 'when_viewaccess'
+ );
+
+ // login1 = super user, login2 = some admin access, login4 = only view access
+ foreach ($logins as $login => $appendix) {
+ $params['token_auth'] = self::$fixture->users[$login]['token'];
+
+ $this->runAnyApiTest($api, $apiId . '_' . $appendix, $params, array('xmlFieldsToRemove' => array('date_registered')));
+ }
+ }
+
+ public function getApiForTesting()
+ {
+ $apiToTest = array(
+ array('UsersManager.getUsers'),
+ array('UsersManager.getUsersLogin'),
+ array('UsersManager.getUsersAccessFromSite', array('idSite' => 6)), // admin user has admin acces for this
+ array('UsersManager.getUsersAccessFromSite', array('idSite' => 3)), // admin user has only view access for this, should not see anything
+ array('UsersManager.getUsersSitesFromAccess', array('access' => 'admin')),
+ array('UsersManager.getUsersWithSiteAccess', array('idSite' => 3, 'access' => 'admin')),
+ array('UsersManager.getUser', array('userLogin' => 'login1')),
+ array('UsersManager.getUser', array('userLogin' => 'login2')),
+ array('UsersManager.getUser', array('userLogin' => 'login4')),
+ array('UsersManager.getUser', array('userLogin' => 'login6')),
+ );
+
+ return $apiToTest;
+ }
+
+ public static function getOutputPrefix()
+ {
+ return '';
+ }
+
+ public static function getPathToTestDirectory()
+ {
+ return dirname(__FILE__);
+ }
+
+}
+
+ApiTest::$fixture = new ManyUsers();
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..9960d68a9d49497ff63fd19c6620b7692bdf353c
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_adminaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="The user has to be either a Super User or the user 'login1' itself." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..b96941238e394a02585ae7155a6582c965490a7c
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_superuseraccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login1</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login1</alias>
+ <email>login1@example.com</email>
+ <token_auth>367ea0b18ee1e641089e5d0a4d5f276d</token_auth>
+ <superuser_access>1</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..9960d68a9d49497ff63fd19c6620b7692bdf353c
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login1_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="The user has to be either a Super User or the user 'login1' itself." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..3516ee8eab4288dee10358d6fe087a0d757591ac
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_adminaccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login2</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login2</alias>
+ <email>login2@example.com</email>
+ <token_auth>ef3cb848005bffc2e2f3c8edbd95c58f</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..3516ee8eab4288dee10358d6fe087a0d757591ac
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_superuseraccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login2</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login2</alias>
+ <email>login2@example.com</email>
+ <token_auth>ef3cb848005bffc2e2f3c8edbd95c58f</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..907f6cc3b05259eeffd8635768c5f9c3f3fe1099
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login2_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="The user has to be either a Super User or the user 'login2' itself." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..99e541176d78f40ef2eeabbe695d5a770c5b780c
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_adminaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="The user has to be either a Super User or the user 'login4' itself." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..16caa1d3783a5fcf09477fe82789911daa8726a3
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_superuseraccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login4</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login4</alias>
+ <email>login4@example.com</email>
+ <token_auth>dc6fb0514c143d97c72b8be165e7ee0a</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..16caa1d3783a5fcf09477fe82789911daa8726a3
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login4_when_viewaccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login4</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login4</alias>
+ <email>login4@example.com</email>
+ <token_auth>dc6fb0514c143d97c72b8be165e7ee0a</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..de29ba43367d9552c81261a888159503f9a039b8
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_adminaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="The user has to be either a Super User or the user 'login6' itself." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..2cd79e6cd458d791a718a9fe31348b096012f0f4
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_superuseraccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login6</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login6</alias>
+ <email>login6@example.com</email>
+ <token_auth>2cafd6512d8b2739a7b2b01ab6609272</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..de29ba43367d9552c81261a888159503f9a039b8
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUser_login6_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="The user has to be either a Super User or the user 'login6' itself." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..8dbbc46cd768d46b5732f021bcfd6c573d216edf
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_adminaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an 'admin' access for the website id = 3." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..29c1c8fc6fe7c5fb1dee68fa58fd45f92298a83b
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_superuseraccess.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login2>view</login2>
+ <login5>admin</login5>
+ <login6>admin</login6>
+ <login7>view</login7>
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..8dbbc46cd768d46b5732f021bcfd6c573d216edf
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_3_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an 'admin' access for the website id = 3." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..ca45c6e1b23cb09c9248b662d3b8e11aa56ebe71
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_adminaccess.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login2>admin</login2>
+ <login4>view</login4>
+ <login6>admin</login6>
+ <login7>view</login7>
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..ca45c6e1b23cb09c9248b662d3b8e11aa56ebe71
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_superuseraccess.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login2>admin</login2>
+ <login4>view</login4>
+ <login6>admin</login6>
+ <login7>view</login7>
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..77eacac8afbb2ec3808887161563bd3412897847
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersAccessFromSite_6_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an 'admin' access for the website id = 6." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..11c32f1705517650b0867d3a4a354311e8154f75
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_adminaccess.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>login2</row>
+ <row>login4</row>
+ <row>login6</row>
+ <row>login7</row>
+ <row>login8</row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..151105d5b41f2795e8325e5f970c9f49d2f78e28
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_superuseraccess.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>login1</row>
+ <row>login2</row>
+ <row>login3</row>
+ <row>login4</row>
+ <row>login5</row>
+ <row>login6</row>
+ <row>login7</row>
+ <row>login8</row>
+ <row>superUserLogin</row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..89ba742befb61140b2e799e2711f9be908dcf1e7
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersLogin__when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an admin access for at least one website." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..a88f3cd9e9fcc3888a7641b6035a033cef097d94
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_adminaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires a 'superuser' access." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..52d3c05844c798707769a0125c593650f36d21bb
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_superuseraccess.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <login2>
+ <row>2</row>
+ <row>6</row>
+ </login2>
+ <login5>
+ <row>3</row>
+ </login5>
+ <login6>
+ <row>3</row>
+ <row>6</row>
+ </login6>
+ <login8>
+ <row>2</row>
+ <row>5</row>
+ </login8>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..a88f3cd9e9fcc3888a7641b6035a033cef097d94
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersSitesFromAccess_admin_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires a 'superuser' access." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..8dbbc46cd768d46b5732f021bcfd6c573d216edf
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_adminaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an 'admin' access for the website id = 3." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..9af31e8a0cb81bf9bfae782b0a0ec772c2fb6d81
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_superuseraccess.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login5</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login5</alias>
+ <email>login5@example.com</email>
+ <token_auth>4550293427ba5d0a0c96d6123429e9d3</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login6</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login6</alias>
+ <email>login6@example.com</email>
+ <token_auth>2cafd6512d8b2739a7b2b01ab6609272</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..8dbbc46cd768d46b5732f021bcfd6c573d216edf
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsersWithSiteAccess_3_admin_when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an 'admin' access for the website id = 3." />
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_adminaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_adminaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..30411b3ef84b488d1c5143f41f60881b5e874cfa
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_adminaccess.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login2</login>
+ <alias>login2</alias>
+ </row>
+ <row>
+ <login>login4</login>
+ <alias>login4</alias>
+ </row>
+ <row>
+ <login>login6</login>
+ <alias>login6</alias>
+ </row>
+ <row>
+ <login>login7</login>
+ <alias>login7</alias>
+ </row>
+ <row>
+ <login>login8</login>
+ <alias>login8</alias>
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_superuseraccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_superuseraccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..af284f900d80b2def0ffa06d9eaa5e621838ee4a
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_superuseraccess.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <row>
+ <login>login1</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login1</alias>
+ <email>login1@example.com</email>
+ <token_auth>367ea0b18ee1e641089e5d0a4d5f276d</token_auth>
+ <superuser_access>1</superuser_access>
+
+ </row>
+ <row>
+ <login>login2</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login2</alias>
+ <email>login2@example.com</email>
+ <token_auth>ef3cb848005bffc2e2f3c8edbd95c58f</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login3</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login3</alias>
+ <email>login3@example.com</email>
+ <token_auth>4298f4654bddcccac23e3d38c7d8a79d</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login4</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login4</alias>
+ <email>login4@example.com</email>
+ <token_auth>dc6fb0514c143d97c72b8be165e7ee0a</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login5</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login5</alias>
+ <email>login5@example.com</email>
+ <token_auth>4550293427ba5d0a0c96d6123429e9d3</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login6</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login6</alias>
+ <email>login6@example.com</email>
+ <token_auth>2cafd6512d8b2739a7b2b01ab6609272</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login7</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login7</alias>
+ <email>login7@example.com</email>
+ <token_auth>8bda247657d9b13c20843fd97c3fb427</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>login8</login>
+ <password>5f4dcc3b5aa765d61d8327deb882cf99</password>
+ <alias>login8</alias>
+ <email>login8@example.com</email>
+ <token_auth>8fdfef11755e29a8369a57fe2709445b</token_auth>
+ <superuser_access>0</superuser_access>
+
+ </row>
+ <row>
+ <login>superUserLogin</login>
+ <password>1e56c228742c0189d261500852e27a02</password>
+ <alias>superUserLogin</alias>
+ <email>hello@example.org</email>
+ <token_auth>9ad1de7f8b329ab919d854c556f860c1</token_auth>
+ <superuser_access>1</superuser_access>
+
+ </row>
+</result>
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_viewaccess.xml b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_viewaccess.xml
new file mode 100644
index 0000000000000000000000000000000000000000..89ba742befb61140b2e799e2711f9be908dcf1e7
--- /dev/null
+++ b/plugins/UsersManager/tests/System/expected/test___UsersManager.getUsers__when_viewaccess.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<result>
+ <error message="You can't access this resource as it requires an admin access for at least one website." />
+</result>
\ No newline at end of file
diff --git a/tests/PHPUnit/Framework/Mock/FakeAccess.php b/tests/PHPUnit/Framework/Mock/FakeAccess.php
index 7cd16916393c3bb8ab3e8697ecadf4a13f687240..e23ceb21484f2ca64524677dc7675896c0d4a122 100644
--- a/tests/PHPUnit/Framework/Mock/FakeAccess.php
+++ b/tests/PHPUnit/Framework/Mock/FakeAccess.php
@@ -128,7 +128,7 @@ class FakeAccess extends Access
public function checkUserHasSomeViewAccess()
{
if (!self::$superUser) {
- if (count(self::$idSitesView) == 0) {
+ if (count(array_merge(self::$idSitesView, self::$idSitesAdmin)) == 0) {
throw new NoAccessException("checkUserHasSomeViewAccess Fake exception // string not to be tested");
}
} else {
@@ -136,15 +136,21 @@ class FakeAccess extends Access
}
}
+ //means at least view access
+ public function isUserHasSomeAdminAccess()
+ {
+ if (self::$superUser) {
+ return true;
+ }
+
+ return count(self::$idSitesAdmin) > 0;
+ }
+
//means at least view access
public function checkUserHasSomeAdminAccess()
{
- if (!self::$superUser) {
- if (count(self::$idSitesAdmin) == 0) {
- throw new NoAccessException("checkUserHasSomeAdminAccess Fake exception // string not to be tested");
- }
- } else {
- return; //Super User has some admin rights
+ if (!$this->isUserHasSomeAdminAccess()) {
+ throw new NoAccessException("checkUserHasSomeAdminAccess Fake exception // string not to be tested");
}
}
diff --git a/tests/PHPUnit/Framework/TestCase/SystemTestCase.php b/tests/PHPUnit/Framework/TestCase/SystemTestCase.php
index 7797751b9f682abff55db80729174bd8ae7e58df..0dd79873ab453afa8b87b7622da39a384c8fa6f1 100755
--- a/tests/PHPUnit/Framework/TestCase/SystemTestCase.php
+++ b/tests/PHPUnit/Framework/TestCase/SystemTestCase.php
@@ -15,6 +15,7 @@ use Piwik\Config;
use Piwik\Container\StaticContainer;
use Piwik\Db;
use Piwik\DbHelper;
+use Piwik\Http;
use Piwik\ReportRenderer;
use Piwik\Tests\Framework\Constraint\ResponseCode;
use Piwik\Tests\Framework\Constraint\HttpResponseText;
@@ -26,6 +27,7 @@ use Piwik\Log;
use PHPUnit_Framework_TestCase;
use Piwik\Tests\Framework\Fixture;
use Piwik\Translation\Translator;
+use Piwik\Url;
require_once PIWIK_INCLUDE_PATH . '/libs/PiwikTracker/PiwikTracker.php';
@@ -287,6 +289,65 @@ abstract class SystemTestCase extends PHPUnit_Framework_TestCase
return $apiCalls;
}
+ /**
+ * While {@link runApiTests()} lets you run test for many API methods at once this one tests only one specific
+ * API method and it goes via HTTP. While the other method lets you test only some methods starting with 'get'
+ * this one lets you actually test any API method.
+ */
+ protected function runAnyApiTest($apiMethod, $apiId, $requestParams, $options = array())
+ {
+ $requestParams['module'] = 'API';
+ $requestParams['format'] = 'XML';
+ $requestParams['method'] = $apiMethod;
+
+ $apiId = $apiMethod . '_' . $apiId . '.xml';
+ $testName = 'test_' . static::getOutputPrefix();
+
+ list($processedFilePath, $expectedFilePath) =
+ $this->getProcessedAndExpectedPaths($testName, $apiId, $format = null, $compareAgainst = false);
+
+ if (!array_key_exists('token_auth', $requestParams)) {
+ $requestParams['token_auth'] = Fixture::getTokenAuth();
+ }
+
+ $response = $this->getResponseFromHttpAPI($requestParams);
+ $processedResponse = new Response($response, $options, $requestParams);
+
+ if (empty($compareAgainst)) {
+ $processedResponse->save($processedFilePath);
+ }
+
+ try {
+ $expectedResponse = Response::loadFromFile($expectedFilePath, $options, $requestParams);
+ } catch (Exception $ex) {
+ $this->handleMissingExpectedFile($expectedFilePath, $processedResponse);
+ return;
+ }
+
+ try {
+ $errorMessage = get_class($this) . ": Differences with expected in '$processedFilePath'";
+ Response::assertEquals($expectedResponse, $processedResponse, $errorMessage);
+ } catch (Exception $ex) {
+ $this->comparisonFailures[] = $ex;
+ }
+
+ $this->printApiTestFailures();
+ }
+
+ /**
+ * @param $requestUrl
+ * @return string
+ * @throws Exception
+ */
+ protected function getResponseFromHttpAPI($requestUrl)
+ {
+ $queryString = Url::getQueryStringFromParameters($requestUrl);
+ $hostAndPath = Fixture::getTestRootUrl();
+ $url = $hostAndPath . '?' . $queryString;
+ $response = Http::sendHttpRequest($url, $timeout = 300);
+ return $response;
+ }
+
protected function _testApiUrl($testName, $apiId, $requestUrl, $compareAgainst, $params = array())
{
list($processedFilePath, $expectedFilePath) =
@@ -460,6 +521,13 @@ abstract class SystemTestCase extends PHPUnit_Framework_TestCase
$this->changeLanguage('en');
}
+ $this->printApiTestFailures();
+
+ return count($this->comparisonFailures) == 0;
+ }
+
+ private function printApiTestFailures()
+ {
if (!empty($this->missingExpectedFiles)) {
$expectedDir = dirname(reset($this->missingExpectedFiles));
$this->fail(" ERROR: Could not find expected API output '"
@@ -473,8 +541,6 @@ abstract class SystemTestCase extends PHPUnit_Framework_TestCase
$this->printComparisonFailures();
throw reset($this->comparisonFailures);
}
-
- return count($this->comparisonFailures) == 0;
}
protected function getTestRequestsCollection($api, $testConfig, $apiToCall)
diff --git a/tests/PHPUnit/Integration/AccessTest.php b/tests/PHPUnit/Integration/AccessTest.php
index 23267a0cfd1d23cbe0e5f7465d33e87d8f2cb3d7..0f9c075e63756ac0c890815ad81b3bfe51165e5d 100644
--- a/tests/PHPUnit/Integration/AccessTest.php
+++ b/tests/PHPUnit/Integration/AccessTest.php
@@ -117,6 +117,19 @@ class AccessTest extends IntegrationTestCase
$access->checkUserHasSomeAdminAccess();
}
+ public function test_isUserHasSomeAdminAccess_WithSuperUserAccess()
+ {
+ $access = new Access();
+ $access->setSuperUserAccess(true);
+ $this->assertTrue($access->isUserHasSomeAdminAccess());
+ }
+
+ public function test_isUserHasSomeAdminAccess_WithOnlyViewAccess()
+ {
+ $access = new Access();
+ $this->assertFalse($access->isUserHasSomeAdminAccess());
+ }
+
/**
* @expectedException \Piwik\NoAccessException
*/
diff --git a/tests/UI/expected-ui-screenshots b/tests/UI/expected-ui-screenshots
index 9977af9cc9843bcd321831ef3bf9ec304d7485d6..9ce31e0cf5645aace16bc2d3e9beca11a6e5a819 160000
--- a/tests/UI/expected-ui-screenshots
+++ b/tests/UI/expected-ui-screenshots
@@ -1 +1 @@
-Subproject commit 9977af9cc9843bcd321831ef3bf9ec304d7485d6
+Subproject commit 9ce31e0cf5645aace16bc2d3e9beca11a6e5a819
diff --git a/tests/UI/specs/UsersManager_spec.js b/tests/UI/specs/UsersManager_spec.js
new file mode 100644
index 0000000000000000000000000000000000000000..658008a6cc1e72d70bd0a55288f645b213023018
--- /dev/null
+++ b/tests/UI/specs/UsersManager_spec.js
@@ -0,0 +1,96 @@
+/*!
+ * Piwik - free/libre analytics platform
+ *
+ * Site selector screenshot tests.
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+describe("UsersManager", function () {
+ this.timeout(0);
+ this.fixture = "Piwik\\Plugins\\UsersManager\\tests\\Fixtures\\ManyUsers";
+
+ var url = "?module=UsersManager&action=index";
+
+ function assertScreenshotEquals(screenshotName, done, test)
+ {
+ expect.screenshot(screenshotName).to.be.captureSelector('#content', test, done);
+ }
+
+ function openGiveAccessForm(page) {
+ page.click('#showGiveViewAccessForm');
+ }
+
+ function setLoginOrEmailForGiveAccessForm(page, loginOrEmail)
+ {
+ page.evaluate(function () {
+ $('#user_invite').val('');
+ });
+ page.sendKeys('#user_invite', loginOrEmail);
+ }
+
+ function submitGiveAccessForm(page)
+ {
+ page.click('#giveUserAccessToViewReports');
+ page.wait(1000); // we wait in case error notification is still fading in and not fully visible yet
+ }
+
+ before(function () {
+ testEnvironment.idSitesAdminAccess = [1,2];
+ testEnvironment.save();
+ });
+
+ after(function () {
+ delete testEnvironment.idSitesAdminAccess;
+ testEnvironment.save();
+ });
+
+ it("should show only users having access to same site", function (done) {
+ assertScreenshotEquals("loaded_as_admin", done, function (page) {
+ page.load(url);
+ });
+ });
+
+ it("should open give view access form when clicking on button", function (done) {
+ assertScreenshotEquals("adminuser_give_view_access_form_opened", done, function (page) {
+ openGiveAccessForm(page);
+ });
+ });
+
+ it("should show an error when nothing entered", function (done) {
+ assertScreenshotEquals("adminuser_give_view_access_no_user_entered", done, function (page) {
+ submitGiveAccessForm(page);
+ });
+ });
+
+ it("should show an error when no such user found", function (done) {
+ assertScreenshotEquals("adminuser_give_view_access_user_not_found", done, function (page) {
+ setLoginOrEmailForGiveAccessForm(page, 'anyNoNExistingUser');
+ submitGiveAccessForm(page);
+ });
+ });
+
+ it("should show an error if user already has access", function (done) {
+ assertScreenshotEquals("adminuser_give_view_access_user_already_has_access", done, function (page) {
+ setLoginOrEmailForGiveAccessForm(page, 'login2');
+ submitGiveAccessForm(page);
+ });
+ });
+
+ it("should add a user by login", function (done) {
+ assertScreenshotEquals("adminuser_give_view_access_via_login", done, function (page) {
+ setLoginOrEmailForGiveAccessForm(page, 'login3');
+ submitGiveAccessForm(page);
+ });
+ });
+
+ it("should add a user by email", function (done) {
+ assertScreenshotEquals("adminuser_give_view_access_via_email", done, function (page) {
+ page.load(url);
+ openGiveAccessForm(page);
+ setLoginOrEmailForGiveAccessForm(page, 'login4@example.com');
+ submitGiveAccessForm(page);
+ });
+ });
+});
\ No newline at end of file