New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require password confirmation before installing plugins #14387
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@katebutler 👍 worked. Left 2 minor comments that be changed quickly, then we can merge :)
)) { | ||
throw new \Exception($this->translator->translate('Login_LoginPasswordNotCorrect')); | ||
} | ||
|
||
static::dieIfPluginsAdminIsDisabled(); | ||
Piwik::checkUserHasSuperUserAccess(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to make sure to first perform several checks before performing the password check. Meaning we need to make sure
- admin is not disabled
- user has super user access.
- Plugin upload is enabled
- Nonce check is correct
Otherwise could be potentially misused for brute forcing password etc. (it would actually not really be possible) but it's a lot safer to do the password check only after a nonce etc. Could even check it only shortly before $this->configureView('@CorePluginsAdmin/uploadPlugin');
so we make sure the basic things are correct.
Works otherwise, we only need to make sure to move the check further down
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough, have moved it to just before validation of the uploaded file
FIxes #13581