@sgiehl opened this Pull Request on May 31st 2016 Member

New proxy method is used for download links in email reports and datatables, to avoid exposing the token_auth in direct API urls.

fixes #10185
fixes #10147

@andrzejewsky commented on June 7th 2016 Contributor

@sgiehl 👍 (I left a few comments)

@sgiehl commented on June 7th 2016 Member

Thx for the comments. I'll check those the comming days

@sgiehl commented on June 13th 2016 Member

@andrzejewsky I've adjusted most of the stuff according to your feedback.

@tsteur @mattab anyone time for a quick look at the PR, so we can merge it?

@tsteur commented on June 13th 2016 Member

I'm quite busy :( don't think I'll have time for it soon as it will take some time re security etc

@tsteur commented on June 13th 2016 Member

Maybe some tests could be added? Or is tested via the export UI tests already maybe?

@mattab commented on July 8th 2016 Member

Review

  • Add tests so the whole functionnality is tested
@mattab commented on July 20th 2016 Member

fyi reasons for not merging were:

  • the security impact is limited
  • a bit complex to review, limited time
  • we would like to solve the issue differently in Piwik. Ideally, to export a dataset, users wouldn't have to copy paste a small link using Right click, but maybe we could open a popover window, and let people either download the file or copy paste the link to be shared with others. This functionality would depend on how we wish to rewrite a more secure API authentication mechanism (eg. oAuth2 https://github.com/piwik/piwik/issues/906 and https://github.com/piwik/piwik/issues/5703 )
This Pull Request was closed on July 18th 2016
Powered by GitHub Issue Mirror