@mattab opened this Issue on October 11th 2018 Member

Before installing a new plugin (via Marketplace or direct upload), we should ask again the Super User to enter their password. Since a plugin can easily lead to RCE it is important to ensure that a Logged-in browser cannot be used to install custom plugins.

Similar to #2932

@tsteur commented on October 23rd 2018 Member

The feature to ask for password first will be also need in two factor authentication (https://github.com/matomo-org/matomo/issues/13325) and couple other features. So be good to build a general popover for this or screen or ... if possible

@tsteur commented on October 30th 2018 Member

FYI: Developed this as part of https://github.com/matomo-org/matomo/issues/13325 . It'll be pretty much as easy as doing this in the controller:

 $this->passwordVerify->requirePasswordVerifiedRecently(array('module' => 'TwoFactorAuth', 'action' => 'disableTwoFactorAuth', 'nonce' => $nonce);

It is not in a popup though. To be seen if it can be reused there or not.

Powered by GitHub Issue Mirror