Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require password confirmation when removing users through UI #19586

Merged
merged 9 commits into from Aug 3, 2022
Merged

Require password confirmation when removing users through UI #19586

merged 9 commits into from Aug 3, 2022

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Aug 1, 2022
edited

Description:

As removing users is an action that can't be undone, it's more secure to ask for a password confirmation in the UI.
This will prevent accidentally removing users and will make it e.g. impossible to use an active session of someone else to remove users without knowing his password.

Note: This PR also improves the error handling of bulk requests in AjaxHandler. When e.g. removing multiple users, this is done in a bulk request. If an error occurs (like incorrect password), an error notification was previously created containing each error response of the bulk request. This could e.g. cause that the incorrect password error was show hundreds of times in the error notification. With the changes in this PR, the error messages will be counted and only printed once (together with the count).

Review

@sgiehl sgiehl added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review labels Aug 1, 2022
@sgiehl sgiehl added this to the 4.12.0 milestone Aug 1, 2022
@sgiehl sgiehl changed the title Require password confirmation when removing users Require password confirmation when removing users through UI Aug 1, 2022
@sgiehl sgiehl force-pushed the deleteuserconfirm branch 4 times, most recently from 249789d to c8e5624 Compare August 1, 2022 13:52
bx80
bx80 approved these changes Aug 1, 2022
View reviewed changes
Copy link
Contributor

@bx80 bx80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested deleting single and multiple users, the password prompt is always shown. Errors are shown when deleting if removing one user fails but the other succeeds. 👍

I noticed the password confirmation dialog 'No' button is missing it's formatting.
(plugins/CorePluginsAdmin/vue/src/PasswordConfirmation.vue line 37, the no button link is missing the btn-flat class)
Not caused by this PR but maybe could be fixed here?

There are a couple of UI test that are might need an update, otherwise this seems ready to merge.

@sgiehl
Copy link
Member Author

sgiehl commented Aug 2, 2022

I noticed the password confirmation dialog 'No' button is missing it's formatting.
(plugins/CorePluginsAdmin/vue/src/PasswordConfirmation.vue line 37, the no button link is missing the btn-flat class)
Not caused by this PR but maybe could be fixed here?

I wasn't sure, if that was done on purpose before. But I'll push a change nevertheless. Guess it looks better if the button is displayed correctly.

@sgiehl sgiehl mentioned this pull request Aug 2, 2022
Merged
11 tasks
@sgiehl sgiehl merged commit 02e2f82 into 4.x-dev Aug 3, 2022
@sgiehl sgiehl deleted the deleteuserconfirm branch August 3, 2022 14:37
@justinvelluppillai justinvelluppillai removed the Needs Review PRs that need a code review label Sep 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bx80 bx80 bx80 approved these changes

Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
4.12.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sgiehl @bx80 @justinvelluppillai