@anonymous-matomo-user opened this Issue on October 1st 2012

I think CorePluginsAdmin should accept superuser authtoken even if no user is logged in.

I'm writing a shell script to install and fully configure Piwik and it seems to be impossible to programmatically activate/deactivate plugins issuing the following command:

command php ./index.php' -- 'module=CorePluginsAdmin&action=deactivate&pluginName=Feedback&auth_token=c1c05355fbe3b4c04df07dcdfa306e8b'

It should be possible IMHO. Looking to the source code I see auth_token is compared with the current logged user token .. failing

@mattab commented on October 3rd 2012 Member

This is a security measure to prevent CSRF which would make it trivial to remotely disable all piwik plugins... but one could do a lot anyway like changing user password etc. so it's maybe not necessary and we could move the plugin enable/disable code to a 'super user only' API.

@anonymous-matomo-user commented on October 4th 2012

It would be very very useful :) Thanks

BTW, donno if it could be an alternative, but it would suffice to have this capability when the script is invoked directly from the cmd line .. no need to do the job via web for me.

@mattab commented on April 4th 2013 Member

I propose we do this once we have a really good use case. Do you have a good use case?

@anonymous-matomo-user commented on April 4th 2013

I think my fully automated install and update script is a very good use case .. as told in the original post I can automate everything but plugins couse of this limitation ..

don't you agree?

@mattab commented on April 4th 2013 Member

I agree it's good use case. Will your tool be public?
Or are you only alone going to use it?

@anonymous-matomo-user commented on April 8th 2013

No problem to make it public .. I'd be glad if you want to take it somehow and keep it up to date be your self .. In other words I can donate it if you (piwik) would integrate and keep up to date .. it's not perfect I suppose, but it makes a good work .. it's a bash script

@mattab commented on January 13th 2014 Member

Enabling/disabling plugins require NONCE for security reasons.

This Issue was closed on January 13th 2014
Powered by GitHub Issue Mirror