I couldn't find a good way for showing different error if site does not exist compared to not having permission and it also would be information disclosure. It would be easy to find out how many sites are tracked with a Piwik etc.

The only way to solve it would be to check whether a given site exists using the SitesManager\Model as this one does not check for view permission. Problem is that the current code is in core and does not know anything about that plugin so we'd have to trigger an event for this check which is not so nice. Also I think it is good not to disclose any information here. Also the error (site does not exist) should not happen unless users manipulate the URL manually.

The issue is due to period = range. A specific method needs to execute new Site(...) regardless of period value. I have hacky fix locally, will post the diff here soon.

diff --git a/plugins/CoreHome/Controller.php b/plugins/CoreHome/Controller.php
index 7fdfe1d..cbd8a06 100644
--- a/plugins/CoreHome/Controller.php
+++ b/plugins/CoreHome/Controller.php
@@ -156,6 +156,10 @@ class Controller extends \Piwik\Plugin\Controller

     protected function setDateTodayIfWebsiteCreatedToday()
     {
+        $websiteId = Common::getRequestVar('idSite', false, 'int');
+        $website = $websiteId === false ? null : new Site($websiteId); // make sure internal access check is indirectly performed so URLs w/o access
+                                                                       // will be redirected to Login
+
         $date = Common::getRequestVar('date', false);
         if ($date == 'today'
             || Common::getRequestVar('period', false) == 'range'
@@ -163,11 +167,7 @@ class Controller extends \Piwik\Plugin\Controller
             return;
         }

-        $websiteId = Common::getRequestVar('idSite', false, 'int');
-
-        if ($websiteId) {
-
-            $website = new Site($websiteId);
+        if (!empty($website)) {
             $datetimeCreationDate      = $website->getCreationDate()->getDatetime();
             $creationDateLocalTimezone = Date::factory($datetimeCreationDate, $website->getTimezone())->toString('Y-m-d');
             $todayLocalTimezone        = Date::factory('now', $website->getTimezone())->toString('Y-m-d');

This will provide the correct behaviour, but it doesn't solve the underlying problem (that idSite should be handled ONE way in ONE place). Unfortunately, I don't think a proper solution is feasible at the moment.

I didn't find that check and had no idea it exists. As you mentioned in your comment it is "indirectly performed". Don't like it so much, this will most likely fail again. Even if we had tests for it, it will be hard to find (it was in this case like this as well as it failed somewhere else in checkSitePermission which is more explicit). Why don't we add a check to FrontController to make it explicit? Meaning if idSite param is given and not empty we would check for the site permission.

If it doesn't break anything I guess it's fine. Just need to make sure for controller actions it redirects to login instead of throwing an exception.

Moved to 2.12.0 unless someone wants to merge it for 2.11.0!

Worked on the FrontController idea. Solving it in FrontController.dispatch results in an endless loop as it will fail eg for CoreHome.index, then post an event userNotAuthorized which will try to dispatch eg Login.index which will fail again etc. Of course it would be doable to avoid the endless loop but the FrontController is actually not really responsible for this kinda things. Neither in the init() method of the FrontController. Was not a good idea of mine. I think it actually belongs where it is currently (Controller::checkSitePermission). The method name checkSitePermission is pretty explicit / clear and it will be only executed if needed and it kinda belongs to the Controller. So would personally not do any change but if someone wants to fix it differently go for it