Performing Admin task as nonadmin user


#1

Hello there. I am trying to write a plugin which will allow users to request access to sites that are being tracked by Piwik. By default users are created by the LdapLogin plugin with only a default site set which they can access. I already have a working form from which the users can pick a site to request. The code below processes the POST from the form.

The problem I run into is that the call to setUserAccess() appears to trigger an access check and I get the message “This user has Super User access and has already permission to access and modify all websites in Piwik. You may remove the Super User access from this user and try again.” back. I understand that is probably because I am making the call using doAsSuperUser. If I make the call without it I get a message about needing to have admin access on the particular website they are requesting. How do I go about handling this one? Thank you.


  public function setRequest(){
        Piwik::checkUserHasSomeViewAccess();
        //$this->checkTokenInUrl();

        $users_manager_api = APIUsersManager::getInstance();
        $login = Piwik::getCurrentUserLogin();
        $access_level = "view";
        $site_id = Common::getRequestVar('site_id', 0);

        $msg = array("status" => "success");

        if($site_id !== 0){
                $result = Access::doAsSuperUser(function() use ($login,$access_level,$site_id,$users_manager_api){
                        $return = array();

                        try{
                          $return["site"] = APISitesManager::getInstance()->getSiteFromId($site_id);
                          //$return["result"] = APIUsersManager::getInstance()->setUserAccess($login,$access_level,array($site_id)); //Doesn't work
                          $return["result"] = $users_manager_api->setUserAccess($login,$access_level,array($site_id)); //Same result as previous
                        }
                        catch(Exception $e){
                                $return["status"] = "error";
                                $return["message"] = $e.getMessage();
                        }

                        return $return;
                });

                if($result["status"] !== "error" && $result["result"] === true){
                        $msg["message"] = sprintf("You were successfully granted view access to site "%s". It should be available in the website dropdown.",$result["site"]["main_url"]);
                }else{
                        $msg["message"] = $result["message"];
                }
        }else{
                $msg["status"] = "error";
                $msg["message"] = "No Website was specified";
        }

        $notification = new Notification($msg["message"]);
        $notification->context = ($msg["status"] === "success")? Notification::CONTEXT_SUCCESS : Notification::CONTEXT_ERROR;
        $notification->type = Notification::TYPE_TOAST;
        Notification\Manager::notify('AccessNotice', $notification);

        Url::RedirectToReferrer();
  }