Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fine-grained permission system #1568

Closed
robocoder opened this issue Aug 9, 2010 · 10 comments
Closed

Fine-grained permission system #1568

robocoder opened this issue Aug 9, 2010 · 10 comments
Labels
duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.

Comments

@robocoder
Copy link
Contributor

Superuser can define what a non-superuser can or can't do. Examples:

  • can change password
  • can change email address
  • can add/modify/delete sites (who already has at least admin access to one or more sites)
  • can add/modify/delete other users
  • can use token_auth with REST API
  • ...

(Some of this might overlap/conflict with the existing access sytem.)

Can be applied to an individual user or all users.

@gka
Copy link
Contributor

gka commented Aug 9, 2010

By now it is only possible to allow or deny full viewing access to sites. Is it possible to limit the viewing access to certain plugins? This would be very helpful for anybody who likes to embed a single widget on a public page. Maybe we can introduce auth tokens that are limited to certain plugins?

@robocoder
Copy link
Contributor Author

IIRC widget-specific access was discussed in #283.

@robocoder
Copy link
Contributor Author

See Zend_Acl.

@mattab
Copy link
Member

mattab commented Nov 3, 2011

Proposed settings to add in Piwik core:

See also #1148

@anonymous-matomo-user
Copy link

Attachment: Patch for SitesManager plugin. Now simple Administrators can add new sites to track.
SitestManagerPatch.txt

@anonymous-matomo-user
Copy link

Hello from Codax team, Russia. We'have just posted the patch for core for the 'SitesManager' plugin.

So it allows Admin users to create websites they wish to track.

Check out the attached file.

@anonymous-matomo-user
Copy link

Hi,
I just want to support a more detailed permission system in which an admin is able to restrict view access.
In my case I want to deny view access to 'Ecommerce & Goals' for a specific user.

@robocoder
Copy link
Contributor Author

Idea:

  • add an access table that defines menu layout and access to controllers (and optionally, individual actions):
class Access {
    int id;
    string name; (either plugin or plugin+controller)
    string action;
    string label; (for menu items)
    Access parent;
    priority int; (for ordering menu items)
    string authorization; (user defineable via a GUI)
} 
  • subscribe to FrontController.dispatch event; hook will pass through the request if authorization string is undefined (backward compatibility); returns 403 if authorization string is defined and user doesn't have authorization
  • core/Menu/* - check authorization before adding menu/submenu items
  • some of the existing checks would move into the Access table; remaining programmatic checks, such as Piwik::checkUserIsSuperUserOrTheUser(), will still have final say (for BC)
  • an Authorization service to encapsulate the isAuthorized() logic

administrative UI should manage:

  • access table
  • role assignment and hierarchy
  • menu access preview (by user or role)

@sebastianpiskorski
Copy link
Contributor

+1 on this one

@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@sgiehl
Copy link
Member

sgiehl commented Aug 24, 2023

closing in favor of #21175

@sgiehl sgiehl closed this as completed Aug 24, 2023
@sgiehl sgiehl added the duplicate For issues that already existed in our issue tracker and were reported previously. label Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Development

No branches or pull requests

6 participants