Disable adding new plugins (for security) while still checking for plugin updates #15966
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
Currently users who want to secure their Matomo installation as much as possible need to follow recommendations in https://matomo.org/docs/security-how-to/
as part of this guide, it would make sense if could add one more step which would be to Prevent Super Users from installing or activating new plugins from the Marketplace. Without this step, any super user could install any plugin from the marketplace which wouldn't necessarily be secure. (to be very secure, one company may decide to individually review plugins before enabling them. super users shouldn't be able to install plugins from marketplace ideally).
Current situation
enable_plugin_upload = 0
by default which prevents new plugins from being "uploaded" manually, but still the marketplace can be usedProposed solution
So ideally we need a new feature/INI setting for example:
enable_install_plugin_from_marketplace
set to1
by default, but when set to0
then the feature to download the code from marketplace would be disabled (with a popup explaining why and which setting to change if needed).The text was updated successfully, but these errors were encountered: