Performing Admin task as nonadmin user

jbrulz · December 8, 2014, 5:11pm

Hello there. I am trying to write a plugin which will allow users to request access to sites that are being tracked by Piwik. By default users are created by the LdapLogin plugin with only a default site set which they can access. I already have a working form from which the users can pick a site to request. The code below processes the POST from the form.

The problem I run into is that the call to setUserAccess() appears to trigger an access check and I get the message “This user has Super User access and has already permission to access and modify all websites in Piwik. You may remove the Super User access from this user and try again.” back. I understand that is probably because I am making the call using doAsSuperUser. If I make the call without it I get a message about needing to have admin access on the particular website they are requesting. How do I go about handling this one? Thank you.


  public function setRequest(){
        Piwik::checkUserHasSomeViewAccess();
        //$this->checkTokenInUrl();

        $users_manager_api = APIUsersManager::getInstance();
        $login = Piwik::getCurrentUserLogin();
        $access_level = "view";
        $site_id = Common::getRequestVar('site_id', 0);

        $msg = array("status" => "success");

        if($site_id !== 0){
                $result = Access::doAsSuperUser(function() use ($login,$access_level,$site_id,$users_manager_api){
                        $return = array();

                        try{
                          $return["site"] = APISitesManager::getInstance()->getSiteFromId($site_id);
                          //$return["result"] = APIUsersManager::getInstance()->setUserAccess($login,$access_level,array($site_id)); //Doesn't work
                          $return["result"] = $users_manager_api->setUserAccess($login,$access_level,array($site_id)); //Same result as previous
                        }
                        catch(Exception $e){
                                $return["status"] = "error";
                                $return["message"] = $e.getMessage();
                        }

                        return $return;
                });

                if($result["status"] !== "error" && $result["result"] === true){
                        $msg["message"] = sprintf("You were successfully granted view access to site "%s". It should be available in the website dropdown.",$result["site"]["main_url"]);
                }else{
                        $msg["message"] = $result["message"];
                }
        }else{
                $msg["status"] = "error";
                $msg["message"] = "No Website was specified";
        }

        $notification = new Notification($msg["message"]);
        $notification->context = ($msg["status"] === "success")? Notification::CONTEXT_SUCCESS : Notification::CONTEXT_ERROR;
        $notification->type = Notification::TYPE_TOAST;
        Notification\Manager::notify('AccessNotice', $notification);

        Url::RedirectToReferrer();
  }

warloth · September 30, 2020, 10:23am

@jbrulz Sorry to revive a dead thread and this may sound weird but did you play World of Warcraft around 10 years ago? I remember playing on my trial character named “Warloth” with somebody named “jbrulz”. Unfortunately I lost contact with them later. Was wondering if it might be you lol

jbrulz · September 30, 2020, 3:41pm

@warloth Sorry. Not me. Never played WoW.

deliacum · November 3, 2020, 6:16am

Damn, I couldn’t even understand the query.