Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fine-grained permission system #1568

Closed
robocoder opened this issue Aug 9, 2010 · 10 comments
Closed

Fine-grained permission system #1568

robocoder opened this issue Aug 9, 2010 · 10 comments
Labels
duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.

Comments

@robocoder
Copy link
Contributor

Superuser can define what a non-superuser can or can't do. Examples:

  • can change password
  • can change email address
  • can add/modify/delete sites (who already has at least admin access to one or more sites)
  • can add/modify/delete other users
  • can use token_auth with REST API
  • ...

(Some of this might overlap/conflict with the existing access sytem.)

Can be applied to an individual user or all users.
@gka
Copy link
Contributor

gka commented Aug 9, 2010

By now it is only possible to allow or deny full viewing access to sites. Is it possible to limit the viewing access to certain plugins? This would be very helpful for anybody who likes to embed a single widget on a public page. Maybe we can introduce auth tokens that are limited to certain plugins?

@robocoder
Copy link
Contributor Author

IIRC widget-specific access was discussed in #283.

@robocoder
Copy link
Contributor Author

See Zend_Acl.

@mattab
Copy link
Member

mattab commented Nov 3, 2011

Proposed settings to add in Piwik core:

See also #1148

@anonymous-matomo-user
Copy link

Attachment: Patch for SitesManager plugin. Now simple Administrators can add new sites to track.
SitestManagerPatch.txt

@anonymous-matomo-user
Copy link

Hello from Codax team, Russia. We'have just posted the patch for core for the 'SitesManager' plugin.

So it allows Admin users to create websites they wish to track.

Check out the attached file.

@anonymous-matomo-user
Copy link

Hi,
I just want to support a more detailed permission system in which an admin is able to restrict view access.
In my case I want to deny view access to 'Ecommerce & Goals' for a specific user.

@robocoder
Copy link
Contributor Author

Idea:

  • add an access table that defines menu layout and access to controllers (and optionally, individual actions):
class Access {
    int id;
    string name; (either plugin or plugin+controller)
    string action;
    string label; (for menu items)
    Access parent;
    priority int; (for ordering menu items)
    string authorization; (user defineable via a GUI)
}
  • subscribe to FrontController.dispatch event; hook will pass through the request if authorization string is undefined (backward compatibility); returns 403 if authorization string is defined and user doesn't have authorization
  • core/Menu/* - check authorization before adding menu/submenu items
  • some of the existing checks would move into the Access table; remaining programmatic checks, such as Piwik::checkUserIsSuperUserOrTheUser(), will still have final say (for BC)
  • an Authorization service to encapsulate the isAuthorized() logic

administrative UI should manage:

  • access table
  • role assignment and hierarchy
  • menu access preview (by user or role)

@robocoder robocoder added this to the Future releases milestone Jul 8, 2014
@mattab mattab mentioned this issue Jun 9, 2014
Closed
This was referenced May 16, 2011
Closed
Closed
@mattab mattab mentioned this issue Nov 19, 2013
Closed
@mattab mattab removed Major labels Aug 3, 2014
@mattab mattab mentioned this issue Dec 1, 2014
Open
@tsteur tsteur mentioned this issue Jul 2, 2015
Closed
@sebastianpiskorski
Copy link
Contributor

+1 on this one

@Joey3000 Joey3000 mentioned this issue Sep 18, 2015
Closed
@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@mattab mattab removed this from the Long term milestone Dec 5, 2016
@tsteur tsteur mentioned this issue Jun 22, 2020
Open
@tsteur tsteur mentioned this issue Dec 2, 2020
Closed
@sgiehl sgiehl mentioned this issue Aug 24, 2023
Open
@sgiehl
Copy link
Member

sgiehl commented Aug 24, 2023

closing in favor of #21175

@sgiehl sgiehl closed this as completed Aug 24, 2023
@sgiehl sgiehl added the duplicate For issues that already existed in our issue tracker and were reported previously. label Aug 24, 2023
@sgiehl sgiehl mentioned this issue Jul 3, 2024
Closed
11 tasks
@innocraft-automation innocraft-automation removed this from the Backlog (Help wanted) milestone Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mattab @gka @robocoder @sgiehl @anonymous-matomo-user @sebastianpiskorski @innocraft-automation