CorePluginsAdmin should accept superuser authtoken even if no user is logged in #3413
Comments
|
This is a security measure to prevent CSRF which would make it trivial to remotely disable all piwik plugins... but one could do a lot anyway like changing user password etc. so it's maybe not necessary and we could move the plugin enable/disable code to a 'super user only' API. |
|
It would be very very useful :) Thanks BTW, donno if it could be an alternative, but it would suffice to have this capability when the script is invoked directly from the cmd line .. no need to do the job via web for me. |
|
I propose we do this once we have a really good use case. Do you have a good use case? |
|
I think my fully automated install and update script is a very good use case .. as told in the original post I can automate everything but plugins couse of this limitation .. don't you agree? |
|
I agree it's good use case. Will your tool be public? |
|
No problem to make it public .. I'd be glad if you want to take it somehow and keep it up to date be your self .. In other words I can donate it if you (piwik) would integrate and keep up to date .. it's not perfect I suppose, but it makes a good work .. it's a bash script |
|
Enabling/disabling plugins require NONCE for security reasons. |
I think CorePluginsAdmin should accept superuser authtoken even if no user is logged in.
I'm writing a shell script to install and fully configure Piwik and it seems to be impossible to programmatically activate/deactivate plugins issuing the following command:
It should be possible IMHO. Looking to the source code I see auth_token is compared with the current logged user token .. failing
The text was updated successfully, but these errors were encountered: