diff --git a/plugins/CorePluginsAdmin/Controller.php b/plugins/CorePluginsAdmin/Controller.php
index d1e4cc6f538107b0e09f3a729e84d0a69af23f93..0442991098bb3eb9845cb74b4f05a3f66bb715f7 100644
--- a/plugins/CorePluginsAdmin/Controller.php
+++ b/plugins/CorePluginsAdmin/Controller.php
@@ -34,10 +34,13 @@ class Controller extends \Piwik\Controller\Admin
public function updatePlugin()
{
+ Piwik::checkUserIsSuperUser();
+
$view = $this->configureView('@CorePluginsAdmin/updatePlugin');
$view->errorMessage = '';
$pluginName = Common::getRequestVar('pluginName', '', 'string');
+ $pluginName = strip_tags($pluginName);
$nonce = Common::getRequestVar('nonce', '', 'string');
if (empty($pluginName)) {
@@ -72,10 +75,13 @@ class Controller extends \Piwik\Controller\Admin
public function installPlugin()
{
+ Piwik::checkUserIsSuperUser();
+
$view = $this->configureView('@CorePluginsAdmin/installPlugin');
$view->errorMessage = '';
$pluginName = Common::getRequestVar('pluginName', '', 'string');
+ $pluginName = strip_tags($pluginName);
$nonce = Common::getRequestVar('nonce', '', 'string');
if (empty($pluginName)) {
@@ -117,22 +123,18 @@ class Controller extends \Piwik\Controller\Admin
return;
}
- $marketplace = new MarketplaceApiClient();
+ $view = $this->configureView('@CorePluginsAdmin/pluginDetails');
- $view = $this->configureView('@CorePluginsAdmin/pluginDetails');
+ $marketplace = new MarketplaceApiClient();
$view->plugin = $marketplace->getPluginInfo($pluginName);
echo $view->render();
}
- public function themeDetails()
- {
- $this->pluginDetails();
- }
-
public function browsePlugins()
{
$query = Common::getRequestVar('query', '', 'string', $_POST);
+ $query = strip_tags($query);
$sort = Common::getRequestVar('sort', $this->defaultSortMethod, 'string');
if (!in_array($sort, $this->validSortMethods)) {
@@ -148,6 +150,7 @@ class Controller extends \Piwik\Controller\Admin
$view->sort = $sort;
$view->installNonce = Nonce::getNonce('CorePluginsAdmin.installPlugin');
$view->updateNonce = Nonce::getNonce('CorePluginsAdmin.updatePlugin');
+ $view->isSuperUser = Piwik::isUserIsSuperUser();
echo $view->render();
}
@@ -155,6 +158,7 @@ class Controller extends \Piwik\Controller\Admin
public function browseThemes()
{
$query = Common::getRequestVar('query', '', 'string', $_POST);
+ $query = strip_tags($query);
$sort = Common::getRequestVar('sort', $this->defaultSortMethod, 'string');
if (!in_array($sort, $this->validSortMethods)) {
@@ -170,6 +174,7 @@ class Controller extends \Piwik\Controller\Admin
$view->sort = $sort;
$view->installNonce = Nonce::getNonce('CorePluginsAdmin.installPlugin');
$view->updateNonce = Nonce::getNonce('CorePluginsAdmin.updatePlugin');
+ $view->isSuperUser = Piwik::isUserIsSuperUser();
echo $view->render();
}
@@ -182,6 +187,8 @@ class Controller extends \Piwik\Controller\Admin
function plugins()
{
+ Piwik::checkUserIsSuperUser();
+
$activated = Common::getRequestVar('activated', false, 'integer', $_GET);
$pluginName = Common::getRequestVar('pluginName', '', 'string');
@@ -204,8 +211,11 @@ class Controller extends \Piwik\Controller\Admin
function themes()
{
+ Piwik::checkUserIsSuperUser();
+
$activated = Common::getRequestVar('activated', false, 'integer', $_GET);
$pluginName = Common::getRequestVar('pluginName', '', 'string');
+ $pluginName = strip_tags($pluginName);
$view = $this->configureView('@CorePluginsAdmin/themes');
@@ -219,8 +229,8 @@ class Controller extends \Piwik\Controller\Admin
$view->updateNonce = Nonce::getNonce('CorePluginsAdmin.updatePlugin');
$view->activateNonce = Nonce::getNonce('CorePluginsAdmin.activatePlugin');
$view->pluginsInfo = $pluginsInfo;
- $marketplace = new Marketplace();
+ $marketplace = new Marketplace();
$view->pluginsHavingUpdate = $marketplace->getPluginsHavingUpdate($pluginsInfo, $themesOnly = true);
echo $view->render();
@@ -228,7 +238,7 @@ class Controller extends \Piwik\Controller\Admin
protected function configureView($template)
{
- Piwik::checkUserIsSuperUser();
+ Piwik::checkUserIsNotAnonymous();
$view = new View($template);
$this->setBasicVariablesView($view);
$this->displayWarningIfConfigFileNotWritable($view);
@@ -303,6 +313,7 @@ class Controller extends \Piwik\Controller\Admin
Piwik::checkUserIsSuperUser();
$pluginName = Common::getRequestVar('pluginName', '', 'string');
+ $pluginName = strip_tags($pluginName);
$nonce = Common::getRequestVar('nonce', '', 'string');
if (empty($pluginName)) {
diff --git a/plugins/CorePluginsAdmin/CorePluginsAdmin.php b/plugins/CorePluginsAdmin/CorePluginsAdmin.php
index 8f4e44c866ef405ce6aebd4a8e9b283f5ab77dcb..4b3e012400e79c7f037adb8915a7c728ad283e42 100644
--- a/plugins/CorePluginsAdmin/CorePluginsAdmin.php
+++ b/plugins/CorePluginsAdmin/CorePluginsAdmin.php
@@ -54,21 +54,23 @@ class CorePluginsAdmin extends \Piwik\Plugin
function addMenu()
{
- $marketplace = new Marketplace();
- $pluginsHavingUpdate = $marketplace->getPluginsHavingUpdate($themesOnly = false);
- $themesHavingUpdate = $marketplace->getPluginsHavingUpdate($themesOnly = true);
-
$pluginsUpdateMessage = '';
- if (!empty($pluginsHavingUpdate)) {
- $pluginsUpdateMessage = sprintf(' (%d)', count($pluginsHavingUpdate));
- }
+ $themesUpdateMessage = '';
- $themesUpdateMessage = '';
- if (!empty($themesHavingUpdate)) {
- $themesUpdateMessage = sprintf(' (%d)', count($themesHavingUpdate));
+ if (Piwik::isUserIsSuperUser()) {
+ $marketplace = new Marketplace();
+ $pluginsHavingUpdate = $marketplace->getPluginsHavingUpdate($themesOnly = false);
+ $themesHavingUpdate = $marketplace->getPluginsHavingUpdate($themesOnly = true);
+
+ if (!empty($pluginsHavingUpdate)) {
+ $pluginsUpdateMessage = sprintf(' (%d)', count($pluginsHavingUpdate));
+ }
+ if (!empty($themesHavingUpdate)) {
+ $themesUpdateMessage = sprintf(' (%d)', count($themesHavingUpdate));
+ }
}
- Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', null, "", Piwik::isUserIsSuperUser(), $order = 15);
+ Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', null, "", !Piwik::isUserIsAnonymous(), $order = 15);
Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', Piwik_Translate('General_Plugins') . $pluginsUpdateMessage,
array('module' => 'CorePluginsAdmin', 'action' => 'plugins', 'activated' => ''),
Piwik::isUserIsSuperUser(),
@@ -79,7 +81,7 @@ class CorePluginsAdmin extends \Piwik\Plugin
$order = 3);
Piwik_AddAdminSubMenu('CorePluginsAdmin_MenuPlatform', 'CorePluginsAdmin_MenuExtend',
array('module' => 'CorePluginsAdmin', 'action' => 'extend', 'activated' => ''),
- Piwik::isUserIsSuperUser(),
+ !Piwik::isUserIsAnonymous(),
$order = 5);
}
diff --git a/plugins/CorePluginsAdmin/javascripts/pluginDetail.js b/plugins/CorePluginsAdmin/javascripts/pluginDetail.js
index 1183c12ed10d590d88bdd185e35b6c35c3566e8d..d3f464b511453d84b3df4fdad2ffe61c7c1ba01d 100755
--- a/plugins/CorePluginsAdmin/javascripts/pluginDetail.js
+++ b/plugins/CorePluginsAdmin/javascripts/pluginDetail.js
@@ -57,7 +57,7 @@ $(document).ready(function () {
$('.themeslist').on('click', '.more', function (event) {
var themeName = $( this ).text();
- var url = 'module=CorePluginsAdmin&action=themeDetails&pluginName=' + themeName;
+ var url = 'module=CorePluginsAdmin&action=pluginDetails&pluginName=' + themeName;
Piwik_Popover.createPopupAndLoadUrl(url, 'theme details');
});
diff --git a/plugins/CorePluginsAdmin/templates/pluginOverview.twig b/plugins/CorePluginsAdmin/templates/pluginOverview.twig
index 9059c03fb26bc1828a9ce9a12b7ecfabe0831ccc..d5da8de48764157f67a55f342446a7464c0ae6fd 100644
--- a/plugins/CorePluginsAdmin/templates/pluginOverview.twig
+++ b/plugins/CorePluginsAdmin/templates/pluginOverview.twig
@@ -1,4 +1,5 @@
-{% if plugin.canBeUpdated %}
+{% if not isSuperUser %}
+{% elseif plugin.canBeUpdated %}
<a class="update"
href="{{ linkTo({'action':'updatePlugin', 'pluginName': plugin.name, 'nonce': updateNonce}) }}"
>Update</a>
diff --git a/plugins/CorePluginsAdmin/templates/themeOverview.twig b/plugins/CorePluginsAdmin/templates/themeOverview.twig
index 4522756572ff54cfee4e0ea3d80564c565f8f543..dffb65aa253e7e1497723004db4378b31da6a390 100644
--- a/plugins/CorePluginsAdmin/templates/themeOverview.twig
+++ b/plugins/CorePluginsAdmin/templates/themeOverview.twig
@@ -1,4 +1,5 @@
-{% if plugin.canBeUpdated %}
+{% if not isSuperUser %}
+{% elseif plugin.canBeUpdated %}
<a href="{{ linkTo({'action':'updatePlugin', 'pluginName': plugin.name, 'nonce': updateNonce}) }}"
class="update"
>{{ 'CoreUpdater_UpdateTitle'|translate }}</a>