Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to disable plugin upload #11329

Closed
tsteur opened this issue Feb 8, 2017 · 1 comment · Fixed by #11445
Closed

Add option to disable plugin upload #11329

tsteur opened this issue Feb 8, 2017 · 1 comment · Fixed by #11445
Assignees
@sgiehl
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
3.0.3

Comments

@tsteur
Copy link
Member

tsteur commented Feb 8, 2017

It could be good to have an option to disable plugin upload, maybe it could be even disabled by default (to be decided). Most users likely will never need it so good to make UI simpler etc. We would also need to update some FAQs.

It can be already disabled via enable_plugins_admin but it would be great to have separate option for it as often users still want to use plugins admin but not the upload.

FYI: Only logged in super users can upload plugins, nothing will change there.
@tsteur tsteur added Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. labels Feb 8, 2017
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Feb 21, 2017
@mattab mattab added this to the 3.0.3 milestone Feb 21, 2017
@mattab
Copy link
Member

mattab commented Feb 21, 2017

It could be good to have an option to disable plugin upload, maybe it could be even disabled by default (to be decided).

Will be good to decide on this soon. Administrators of a Piwik server would likely not expect Super Users to be able to execute code on servers. I think it would make a lot of sense to prevent RCE (remote code execution) by default for Super users, as it would be consistent with our high security standards and overall practises.

@sgiehl sgiehl self-assigned this Mar 2, 2017
@sgiehl sgiehl mentioned this issue Mar 2, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgiehl sgiehl

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
Milestone
3.0.3
Development

Successfully merging a pull request may close this issue.

Introduces new config setting to enabled plugin upload matomo-org/matomo
3 participants
@tsteur @mattab @sgiehl