Require password confirmation before installing plugins (matomo-org#1…

…4387) * Require password confirmation before installing plugins * Simpler workflow for incorrect password when uploading plugin * Refactoring * PR changes
Charpy · May 2, 2019 · 3492c37 · 3492c37
1 parent cbd5899
commit 3492c37
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 8 deletions.
diff --git a/plugins/CorePluginsAdmin/Controller.php b/plugins/CorePluginsAdmin/Controller.php
@@ -21,6 +21,7 @@
 use Piwik\Piwik;
 use Piwik\Plugin;
 use Piwik\Plugins\CorePluginsAdmin\Model\TagManagerTeaser;
+use Piwik\Plugins\Login\PasswordVerifier;
 use Piwik\Plugins\Marketplace\Marketplace;
 use Piwik\Plugins\Marketplace\Controller as MarketplaceController;
 use Piwik\Plugins\Marketplace\Plugins;
@@ -61,19 +62,30 @@ class Controller extends Plugin\ControllerAdmin
      */
     private $marketplacePlugins;
 
+    /**
+     * @var PasswordVerifier
+     */
+    private $passwordVerify;
+
     /**
      * Controller constructor.
      * @param Translator $translator
      * @param Plugin\SettingsProvider $settingsProvider
      * @param PluginInstaller $pluginInstaller
      * @param Plugins $marketplacePlugins
+     * @param PasswordVerifier $passwordVerify
      */
-    public function __construct(Translator $translator, Plugin\SettingsProvider $settingsProvider, PluginInstaller $pluginInstaller, $marketplacePlugins = null)
-    {
+    public function __construct(Translator $translator, 
+                                Plugin\SettingsProvider $settingsProvider, 
+                                PluginInstaller $pluginInstaller,
+                                PasswordVerifier $passwordVerify,
+                                $marketplacePlugins = null
+    ) {
         $this->translator = $translator;
         $this->settingsProvider = $settingsProvider;
         $this->pluginInstaller = $pluginInstaller;
         $this->pluginManager = Plugin\Manager::getInstance();
+        $this->passwordVerify = $passwordVerify;
 
         if (!empty($marketplacePlugins)) {
             $this->marketplacePlugins = $marketplacePlugins;
@@ -102,6 +114,13 @@ public function uploadPlugin()
 
         Nonce::discardNonce(MarketplaceController::INSTALL_NONCE);
 
+        if (!$this->passwordVerify->isPasswordCorrect(
+            Piwik::getCurrentUserLogin(),
+            Common::getRequestVar('confirmPassword', null, 'string')
+        )) {
+            throw new \Exception($this->translator->translate('Login_LoginPasswordNotCorrect'));
+        }
+
         if (empty($_FILES['pluginZip'])) {
             throw new \Exception('You did not specify a ZIP file.');
         }

diff --git a/plugins/Marketplace/Controller.php b/plugins/Marketplace/Controller.php
@@ -19,6 +19,7 @@
 use Piwik\Plugins\CorePluginsAdmin\Controller as PluginsController;
 use Piwik\Plugins\CorePluginsAdmin\CorePluginsAdmin;
 use Piwik\Plugins\CorePluginsAdmin\PluginInstaller;
+use Piwik\Plugins\Login\PasswordVerifier;
 use Piwik\Plugins\Marketplace\Input\Mode;
 use Piwik\Plugins\Marketplace\Input\PluginName;
 use Piwik\Plugins\Marketplace\Input\PurchaseType;
@@ -68,15 +69,27 @@ class Controller extends \Piwik\Plugin\ControllerAdmin
      */
     private $environment;
 
-    public function __construct(LicenseKey $licenseKey, Plugins $plugins, Api\Client $marketplaceApi, Consumer $consumer, PluginInstaller $pluginInstaller, Environment $environment)
-    {
+    /**
+     * @var PasswordVerifier
+     */
+    private $passwordVerify;
+
+    public function __construct(LicenseKey $licenseKey,
+                                Plugins $plugins,
+                                Api\Client $marketplaceApi,
+                                Consumer $consumer,
+                                PluginInstaller $pluginInstaller,
+                                Environment $environment,
+                                PasswordVerifier $passwordVerify
+    ) {
         $this->licenseKey = $licenseKey;
         $this->plugins = $plugins;
         $this->marketplaceApi = $marketplaceApi;
         $this->consumer = $consumer;
         $this->pluginInstaller = $pluginInstaller;
         $this->pluginManager = Plugin\Manager::getInstance();
         $this->environment = $environment;
+        $this->passwordVerify = $passwordVerify;
 
         parent::__construct();
     }
@@ -381,10 +394,18 @@ public function updatePlugin()
 
     public function installPlugin()
     {
-        $view = $this->createUpdateOrInstallView('installPlugin', static::INSTALL_NONCE);
-        $view->nonce = Nonce::getNonce(PluginsController::ACTIVATE_NONCE);
-
-        return $view->render();
+        $params = array(
+            'module' => 'Marketplace',
+            'action' => 'installPlugin',
+            'mode' => 'admin',
+            'pluginName' => Common::getRequestVar('pluginName'),
+            'nonce' => Common::getRequestVar('nonce')
+        );
+        if ($this->passwordVerify->requirePasswordVerifiedRecently($params)) {
+            $view = $this->createUpdateOrInstallView('installPlugin', static::INSTALL_NONCE);
+            $view->nonce = Nonce::getNonce(PluginsController::ACTIVATE_NONCE);
+            return $view->render();
+        }
     }
 
     private function createUpdateOrInstallView($template, $nonceName)

diff --git a/plugins/Marketplace/templates/uploadPluginDialog.twig b/plugins/Marketplace/templates/uploadPluginDialog.twig
@@ -8,6 +8,11 @@
               action="{{ linkTo({'module':'CorePluginsAdmin', 'action':'uploadPlugin', 'nonce': installNonce}) }}">
             <input type="file" name="pluginZip">
             <br />
+            <div piwik-field uicontrol="password" name="confirmPassword" autocomplete="off"
+                 data-title="{{ 'Login_ConfirmPasswordToContinue'|translate|e('html_attr') }}"
+                 value="">
+            </div>
+
             <input class="startUpload btn" type="submit" value="{{ 'Marketplace_UploadZipFile'|translate }}">
         </form>
     {% else %}