Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separating read-only from read-write files: PIWIK_USER_PATH does not work #11654

Closed
florianjacob opened this issue Apr 27, 2017 · 3 comments
Closed

Separating read-only from read-write files: PIWIK_USER_PATH does not work #11654

florianjacob opened this issue Apr 27, 2017 · 3 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone
3.1.0

Comments

@florianjacob
Copy link
Contributor

From #1453 (comment) by @robocoder, I learned that you should be able to overwrite PIWIK_USER_PATH via bootstrap.php to move the writable piwik folders, config and tmp, to a read-write directory, and keep the rest read-only.

I found out that I need to copy the config folder to PIWIK_USER_PATH, and tmp is created automatically.

Problem is: Afterwards, there are errors about missing plugin folders and unfound stylesheet files. I investigated the code and found suspicious uses of PIWIK_USER_PATH in core/AssetManager/UIAssetFetcher.php and core/AssetManager/UIAssetMerger/StylesheetUIAssetMerger.php which look like they should be PIWIK_INCLUDE_PATH. I tried to patch them to PIWIK_INCLUDE_PATH, I can load the page then, but it renders without stylesheets. 😢 In that state, I could not find any error messages, so I don't really know what's not working.

https://piwik.org/docs/include-piwik-in-your-project/#bootstrap-php-execute-custom-code-before-piwik-runs notes that using PIWIK_USER_PATH and PIWIK_INCLUDE_PATH “facilitates a ‘best practice’ of preventing direct access to PHP files.” – I could not find concrete examples on how and what exactly to do to achieve this, e.g. whether I also should copy plugins or so.

Related: #10854

Steps to reproduce:

  1. download piwik in a new directory from your webserver, e.g. /var/www/piwik
  2. add bootstrap.php with e.g.:
<?php
define('PIWIK_USER_PATH', '/var/lib/piwik');
?>
  1. create /var/lib/piwik and make it writable from the webserver
  2. copy /var/www/piwik/config into /var/lib/piwik
  3. access piwik

Result:

Piwik encoutered an error: An exception has been thrown during the rendering of a template ("The ui asset with 'href' = /var/lib/piwik/plugins/Morpheus/stylesheets/base/bootstrap.css is not readable").

I don't know how to get a working PIWIK_USER_PATH, seems like there is more to it that the presumably wrong use of PIWIK_USER_PATH in AssetManager classes which I do not understand.

(Not important for the problem, but for people who find this through search: I'm trying to do this to create a Nix package and NixOS module, where I have to separate statefull and stateless files)
@florianjacob florianjacob mentioned this issue Apr 27, 2017
Closed
@robocoder
Copy link
Contributor

In hindsight, PIWIK_USER_PATH was a kludge as it accommodated the ability to drop piwik into a web folder and treat that as the doc root, instead of doing the right thing from the beginning.

Nowadays, it would be more conventional to have index.php and piwik.js in a public folder and force the user to set the DocumentRoot correctly.

florianjacob added a commit to florianjacob/matomo that referenced this issue May 2, 2017
@florianjacob
Correct PIWIK_USER_PATH to PIWIK_INCLUDE_PATH
30f89c5 
in UIAssetFetcher and StylesheetUIAssetMerger.
Resolves matomo-org#11654, makes PIWIK_USER_PATH work again.
Presumably. the paths were just mixed up.
@florianjacob
Copy link
Contributor Author

@robocoder I understand your suggestion with a public folder, it sounds like something I want as well. 😄 Thank you!
Can I achieve this setup by creating a public folder like this myself, move the relevant files in there, and use PIWIK_INCLUDE_PATH to point outside of public?

But even then, I think I need something like PIWIK_USER_PATH to separate local state files from files that can be read-only and get upgraded on a new release only.

I found out my other problem after patching PIWIK_USER_PATH to PIWIK_INCLUDE_PATH were resulting from whitespace in my bootstrap.php, and vanished after I found them and cleaned up.

@florianjacob florianjacob mentioned this issue May 2, 2017
Merged
@florianjacob
Copy link
Contributor Author

I wrote a PR at #11661 which seems to fix all problems I had with PIWIK_USER_PATH- at least I could not find something else that does not work.

florianjacob added a commit to florianjacob/matomo that referenced this issue May 13, 2017
@florianjacob
Correct PIWIK_USER_PATH to PIWIK_DOCUMENT_ROOT
a7fc4cb 
in UIAssetFetcher and StylesheetUIAssetMerger.
Resolves matomo-org#11654, makes PIWIK_USER_PATH work again.
Presumably. the paths were just mixed up.
mattab pushed a commit that referenced this issue Jul 25, 2017
@florianjacob @mattab
Correct PIWIK_USER_PATH to PIWIK_DOCUMENT_ROOT (#11661)
af84e77 
in UIAssetFetcher and StylesheetUIAssetMerger.
Resolves #11654, makes PIWIK_USER_PATH work again.
Presumably. the paths were just mixed up.
@mattab mattab added the Bug For errors / faults / flaws / inconsistencies etc. label Sep 11, 2017
@mattab mattab added this to the 3.1.0 milestone Sep 11, 2017
@src-of-truth src-of-truth bot mentioned this issue Oct 6, 2019
Open
@florianjacob florianjacob mentioned this issue Nov 3, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Milestone
3.1.0
Development

No branches or pull requests
3 participants
@mattab @robocoder @florianjacob