refs #4053 let regular users browse the marketplace but not install or update

f9136793 · Thomas Steur · 4d7d1262 · f9136793 · f9136793 · f9136793
--- a/plugins/CorePluginsAdmin/Controller.php
+++ b/plugins/CorePluginsAdmin/Controller.php
@@ -34,10 +34,13 @@ class Controller extends \Piwik\Controller\Admin

    public function updatePlugin()
    {
+        Piwik::checkUserIsSuperUser();
+
        $view = $this->configureView('@CorePluginsAdmin/updatePlugin');
        $view->errorMessage = '';

        $pluginName = Common::getRequestVar('pluginName', '', 'string');
+        $pluginName = strip_tags($pluginName);
        $nonce      = Common::getRequestVar('nonce', '', 'string');

        if (empty($pluginName)) {
@@ -72,10 +75,13 @@ class Controller extends \Piwik\Controller\Admin

    public function installPlugin()
    {
+        Piwik::checkUserIsSuperUser();
+
        $view = $this->configureView('@CorePluginsAdmin/installPlugin');
        $view->errorMessage = '';

        $pluginName = Common::getRequestVar('pluginName', '', 'string');
+        $pluginName = strip_tags($pluginName);
        $nonce      = Common::getRequestVar('nonce', '', 'string');

        if (empty($pluginName)) {
@@ -117,22 +123,18 @@ class Controller extends \Piwik\Controller\Admin
            return;
        }

-        $marketplace = new MarketplaceApiClient();
+        $view = $this->configureView('@CorePluginsAdmin/pluginDetails');

-        $view         = $this->configureView('@CorePluginsAdmin/pluginDetails');
+        $marketplace  = new MarketplaceApiClient();
        $view->plugin = $marketplace->getPluginInfo($pluginName);

        echo $view->render();
    }

-    public function themeDetails()
-    {
-        $this->pluginDetails();
-    }
-
    public function browsePlugins()
    {
        $query = Common::getRequestVar('query', '', 'string', $_POST);
+        $query = strip_tags($query);
        $sort  = Common::getRequestVar('sort', $this->defaultSortMethod, 'string');

        if (!in_array($sort, $this->validSortMethods)) {
@@ -148,6 +150,7 @@ class Controller extends \Piwik\Controller\Admin
        $view->sort    = $sort;
        $view->installNonce = Nonce::getNonce('CorePluginsAdmin.installPlugin');
        $view->updateNonce  = Nonce::getNonce('CorePluginsAdmin.updatePlugin');
+        $view->isSuperUser  = Piwik::isUserIsSuperUser();

        echo $view->render();
    }
@@ -155,6 +158,7 @@ class Controller extends \Piwik\Controller\Admin
    public function browseThemes()
    {
        $query = Common::getRequestVar('query', '', 'string', $_POST);
+        $query = strip_tags($query);
        $sort  = Common::getRequestVar('sort', $this->defaultSortMethod, 'string');

        if (!in_array($sort, $this->validSortMethods)) {
@@ -170,6 +174,7 @@ class Controller extends \Piwik\Controller\Admin
        $view->sort    = $sort;
        $view->installNonce = Nonce::getNonce('CorePluginsAdmin.installPlugin');
        $view->updateNonce  = Nonce::getNonce('CorePluginsAdmin.updatePlugin');
+        $view->isSuperUser  = Piwik::isUserIsSuperUser();

        echo $view->render();
    }
@@ -182,6 +187,8 @@ class Controller extends \Piwik\Controller\Admin

    function plugins()
    {
+        Piwik::checkUserIsSuperUser();
+
        $activated  = Common::getRequestVar('activated', false, 'integer', $_GET);
        $pluginName = Common::getRequestVar('pluginName', '', 'string');

@@ -204,8 +211,11 @@ class Controller extends \Piwik\Controller\Admin

    function themes()
    {
+        Piwik::checkUserIsSuperUser();
+
        $activated  = Common::getRequestVar('activated', false, 'integer', $_GET);
        $pluginName = Common::getRequestVar('pluginName', '', 'string');
+        $pluginName = strip_tags($pluginName);

        $view = $this->configureView('@CorePluginsAdmin/themes');

@@ -219,8 +229,8 @@ class Controller extends \Piwik\Controller\Admin
        $view->updateNonce   = Nonce::getNonce('CorePluginsAdmin.updatePlugin');
        $view->activateNonce = Nonce::getNonce('CorePluginsAdmin.activatePlugin');
        $view->pluginsInfo   = $pluginsInfo;
-        $marketplace = new Marketplace();

+        $marketplace = new Marketplace();
        $view->pluginsHavingUpdate = $marketplace->getPluginsHavingUpdate($pluginsInfo, $themesOnly = true);

        echo $view->render();
@@ -228,7 +238,7 @@ class Controller extends \Piwik\Controller\Admin

    protected function configureView($template)
    {
-        Piwik::checkUserIsSuperUser();
+        Piwik::checkUserIsNotAnonymous();
        $view = new View($template);
        $this->setBasicVariablesView($view);
        $this->displayWarningIfConfigFileNotWritable($view);
@@ -303,6 +313,7 @@ class Controller extends \Piwik\Controller\Admin
        Piwik::checkUserIsSuperUser();

        $pluginName = Common::getRequestVar('pluginName', '', 'string');
+        $pluginName = strip_tags($pluginName);
        $nonce      = Common::getRequestVar('nonce', '', 'string');

        if (empty($pluginName)) {

--- a/plugins/CorePluginsAdmin/CorePluginsAdmin.php
+++ b/plugins/CorePluginsAdmin/CorePluginsAdmin.php
@@ -54,21 +54,23 @@ class CorePluginsAdmin extends \Piwik\Plugin

    function addMenu()
    {
-        $marketplace = new Marketplace();
-        $pluginsHavingUpdate = $marketplace->getPluginsHavingUpdate($themesOnly = false);
-        $themesHavingUpdate  = $marketplace->getPluginsHavingUpdate($themesOnly = true);
-
        $pluginsUpdateMessage = '';
-        if (!empty($pluginsHavingUpdate)) {
-            $pluginsUpdateMessage = sprintf(' (%d)', count($pluginsHavingUpdate));
-        }
+        $themesUpdateMessage  = '';

-        $themesUpdateMessage = '';
-        if (!empty($themesHavingUpdate)) {
-            $themesUpdateMessage = sprintf(' (%d)', count($themesHavingUpdate));
+        if (Piwik::isUserIsSuperUser()) {
+            $marketplace = new Marketplace();
+            $pluginsHavingUpdate = $marketplace->getPluginsHavingUpdate($themesOnly = false);
+            $themesHavingUpdate  = $marketplace->getPluginsHavingUpdate($themesOnly = true);
+
+            if (!empty($pluginsHavingUpdate)) {
+                $pluginsUpdateMessage = sprintf(' (%d)', count($pluginsHavingUpdate));
+            }
+            if (!empty($themesHavingUpdate)) {
+                $themesUpdateMessage = sprintf(' (%d)', count($themesHavingUpdate));
+            }
        }

-        Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', null, "", Piwik::isUserIsSuperUser(), $order = 15);
+        Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', null, "", !Piwik::isUserIsAnonymous(), $order = 15);
        Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', Piwik_Translate('General_Plugins') . $pluginsUpdateMessage,
            array('module' => 'CorePluginsAdmin', 'action' => 'plugins', 'activated' => ''),
            Piwik::isUserIsSuperUser(),
@@ -79,7 +81,7 @@ class CorePluginsAdmin extends \Piwik\Plugin
            $order = 3);
        Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', 'CorePluginsAdmin_MenuExtend',
            array('module' => 'CorePluginsAdmin', 'action' => 'extend', 'activated' => ''),
-            Piwik::isUserIsSuperUser(),
+            !Piwik::isUserIsAnonymous(),
            $order = 5);
    }


--- a/plugins/CorePluginsAdmin/javascripts/pluginDetail.js
+++ b/plugins/CorePluginsAdmin/javascripts/pluginDetail.js
@@ -57,7 +57,7 @@ $(document).ready(function () {

    $('.themeslist').on('click', '.more', function (event) {
        var themeName = $( this ).text();
-        var url = 'module=CorePluginsAdmin&action=themeDetails&pluginName=' + themeName;
+        var url = 'module=CorePluginsAdmin&action=pluginDetails&pluginName=' + themeName;
        Piwik_Popover.createPopupAndLoadUrl(url, 'theme details');
    });


--- a/plugins/CorePluginsAdmin/templates/pluginOverview.twig
+++ b/plugins/CorePluginsAdmin/templates/pluginOverview.twig
-{% if plugin.canBeUpdated %}
+{% if not isSuperUser %}
+{% elseif plugin.canBeUpdated %}
    <a class="update"
       href="{{ linkTo({'action':'updatePlugin', 'pluginName': plugin.name, 'nonce': updateNonce}) }}"
       >Update</a>

--- a/plugins/CorePluginsAdmin/templates/themeOverview.twig
+++ b/plugins/CorePluginsAdmin/templates/themeOverview.twig
-{% if plugin.canBeUpdated %}
+{% if not isSuperUser %}
+{% elseif plugin.canBeUpdated %}
    <a href="{{ linkTo({'action':'updatePlugin', 'pluginName': plugin.name, 'nonce': updateNonce}) }}"
       class="update"
       >{{ 'CoreUpdater_UpdateTitle'|translate }}</a>