From 80721ac6fd81c425e2af6b940d507cd5c886f97a Mon Sep 17 00:00:00 2001
From: mattab <matthieu.aubry@gmail.com>
Date: Thu, 23 May 2013 15:48:05 +1200
Subject: [PATCH] Fixes #3951

---
 config/global.ini.php  | 9 ++++++++-
 core/Tracker/Visit.php | 6 +++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/config/global.ini.php b/config/global.ini.php
index 32e0cb1fbd..e305959044 100644
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -340,6 +340,13 @@ overlay_disable_framed_mode = 0
 ; this is useful when you want to do cross websites analysis
 use_third_party_id_cookie = 0
 
+; There is a feature in the Tracking API that lets you create new visit at any given time, for example if you know that a different user/customer is using
+; the app then you would want to tell Piwik to create a new visit (even though both users are using the same browser/computer).
+; To prevent abuse and easy creation of fake visits, this feature requires admin token_auth by default
+; If you wish to use this feature using the Javascript tracker, you can set the setting new_visit_api_requires_admin=0, and in Javascript write:
+; _paq.push(['appendToTrackingUrl', 'new_visit=1']);
+new_visit_api_requires_admin = 1
+
 ; This setting should only be set to 1 in an intranet setting, where most users have the same configuration (browsers, OS)
 ; and the same IP. If left to 0 in this setting, all visitors will be counted as one single visitor.
 trust_visitors_cookies = 0
@@ -417,7 +424,7 @@ ip_address_mask_length = 1
 tracker_cache_file_ttl = 300
 
 ; DO NOT USE THIS SETTING ON PUBLICLY AVAILABLE PIWIK SERVER
-; !!! Security risk: if set to 0, it would allow anyone to push data to Piwik with custom dates in the past/future and with fake IPs !!!
+; !!! Security risk: if set to 0, it would allow anyone to push data to Piwik with custom dates in the past/future and even with fake IPs!
 ; When using the Tracking API, to override either the datetime and/or the visitor IP, 
 ; token_auth with an "admin" access is required. If you set this setting to 0, the token_auth will not be required anymore.
 ; DO NOT USE THIS SETTING ON PUBLIC PIWIK SERVERS
diff --git a/core/Tracker/Visit.php b/core/Tracker/Visit.php
index 24b1c2e8d1..f7ea1ea10e 100644
--- a/core/Tracker/Visit.php
+++ b/core/Tracker/Visit.php
@@ -1199,7 +1199,11 @@ class Piwik_Tracker_Visit implements Piwik_Tracker_Visit_Interface
 
         $visitRow = Piwik_Tracker::getDatabase()->fetch($sql, $bindSql);
 
-        if (!Piwik_Config::getInstance()->Debug['tracker_always_new_visitor']
+        $newVisitEnforcedAPI = !empty($this->request['new_visit'])
+                && ($this->authenticated || !Piwik_Config::getInstance()->Tracker['new_visit_api_requires_admin']);
+        $enforceNewVisit = $newVisitEnforcedAPI || Piwik_Config::getInstance()->Debug['tracker_always_new_visitor'];
+
+        if (!$enforceNewVisit
             && $visitRow
             && count($visitRow) > 0
         ) {
-- 
GitLab