You can create users via "addUser", update existing users via "updateUser" and delete users via "deleteUser".
There are many ways to list users based on their login "getUser" and "getUsers", their email "getUserByEmail",
or which users have permission (view or admin) to access the specified websites "getUsersWithSiteAccess".
Existing Permissions are listed given a login via "getSitesAccessFromUser", or a website ID via "getUsersAccessFromSite",
or you can list all users and websites for a given permission via "getUsersSitesFromAccess". Permissions are set and updated
via the method "setUserAccess".
See also the documentation about Managing Users in Piwik.
/**
* Authenticates user
*
* @return AuthResult
*/
public function authenticate()
{
if (!empty($this->md5Password)) {
// favor authenticating by password
$this->token_auth = UsersManagerAPI::getInstance()->getTokenAuth($this->login, $this->getTokenAuthSecret());
}
if (is_null($this->login)) {
$model = new Model();
$user = $model->getUserByTokenAuth($this->token_auth);
if (!empty($user['login'])) {
$code = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $user['login'], $this->token_auth);
}
} else {
if (!empty($this->login)) {
$model = new Model();
$user = $model->getUser($this->login);
if (!empty($user['token_auth']) && (SessionInitializer::getHashTokenAuth($this->login, $user['token_auth']) === $this->token_auth || $user['token_auth'] === $this->token_auth)) {
$this->setTokenAuth($user['token_auth']);
$code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $this->login, $user['token_auth']);
}
}
}
return new AuthResult(AuthResult::FAILURE, $this->login, $this->token_auth);
}
/**
* Checks if the provided CURRENT password is correct and calls the parent
* class function if so. Otherwise provides error message.
*
* @see the parent class function for parameters and return value
*/
public function recordUserSettings()
{
try {
$passwordCurrent = Common::getRequestvar('passwordCurrent', false);
$passwordCurrent = Crypto::decrypt($passwordCurrent);
// Note: Compare loosely, so both, "" (password input empty; forms send strings)
// and "password input not sent" are covered - see
// https://secure.php.net/manual/en/types.comparisons.php
if ($passwordCurrent != "") {
$userName = Piwik::getCurrentUserLogin();
// gets username as string or "anonymous"
// see Piwik\Plugins\Login\Auth for used password hash function
// (in setPassword()) and access to hashed password (in getTokenAuthSecret())
if ($userName != 'anonymous') {
$model = new Model();
$user = $model->getUser($userName);
if (UsersManagerEncrypted::getPasswordHash($passwordCurrent) === $user['password']) {
$toReturn = parent::recordUserSettings();
} else {
throw new Exception(Piwik::translate('UsersManagerEncrypted_CurrentPasswordIncorrect'));
}
} else {
throw new Exception(Piwik::translate('UsersManagerEncrypted_UserNotAuthenticated'));
}
} else {
throw new Exception(Piwik::translate('UsersManagerEncrypted_CurrentPasswordNotProvided'));
}
} catch (Exception $e) {
$response = new ResponseBuilder(Common::getRequestVar('format'));
$toReturn = $response->getResponseException($e);
}
return $toReturn;
}
private function authenticateWithTokenOrHashToken($token, $login)
{
$user = $this->userModel->getUser($login);
if (!empty($user['token_auth']) && (SessionInitializer::getHashTokenAuth($login, $user['token_auth']) === $token || $user['token_auth'] === $token)) {
return $this->authenticationSuccess($user);
}
return new AuthResult(AuthResult::FAILURE, $login, $token);
}
public function getCronArchiveTokenAuth(&$tokens)
{
$model = new Model();
$superUsers = $model->getUsersHavingSuperUserAccess();
foreach ($superUsers as $superUser) {
$tokens[] = $superUser['token_auth'];
}
}
public function getCronArchiveTokenAuth(&$token)
{
$model = new Model();
$superUsers = $model->getUsersHavingSuperUserAccess();
if (!empty($superUsers)) {
$superUser = array_shift($superUsers);
$token = $superUser['token_auth'];
}
}
/**
* Authenticates user
*
* @return \Piwik\AuthResult
*/
public function authenticate()
{
$httpLogin = $this->getHttpAuthLogin();
if (!empty($httpLogin)) {
$user = $this->userModel->getUser($httpLogin);
if (empty($user)) {
return new AuthResult(AuthResult::FAILURE, $httpLogin, null);
}
$code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $httpLogin, $user['token_auth']);
}
return parent::authenticate();
}
/**
* Set an access level to a given user for a list of websites ID.
*
* If access = 'noaccess' the current access (if any) will be deleted.
* If access = 'view' or 'admin' the current access level is deleted and updated with the new value.
*
* @param string $userLogin The user login
* @param string $access Access to grant. Must have one of the following value : noaccess, view, admin
* @param int|array $idSites The array of idSites on which to apply the access level for the user.
* If the value is "all" then we apply the access level to all the websites ID for which the current authentificated user has an 'admin' access.
*
* @throws Exception if the user doesn't exist
* @throws Exception if the access parameter doesn't have a correct value
* @throws Exception if any of the given website ID doesn't exist
*
* @return bool true on success
*/
public function setUserAccess($userLogin, $access, $idSites)
{
$this->checkAccessType($access);
$this->checkUserExists($userLogin);
$this->checkUserHasNotSuperUserAccess($userLogin);
if ($userLogin == 'anonymous' && $access == 'admin') {
throw new Exception(Piwik::translate("UsersManager_ExceptionAdminAnonymous"));
}
// in case idSites is all we grant access to all the websites on which the current connected user has an 'admin' access
if ($idSites === 'all') {
$idSites = \Piwik\Plugins\SitesManager\API::getInstance()->getSitesIdWithAdminAccess();
} else {
$idSites = Site::getIdSitesFromIdSitesString($idSites);
}
if (empty($idSites)) {
throw new Exception('Specify at least one website ID in &idSites=');
}
// it is possible to set user access on websites only for the websites admin
// basically an admin can give the view or the admin access to any user for the websites he manages
Piwik::checkUserHasAdminAccess($idSites);
$this->model->deleteUserAccess($userLogin, $idSites);
// if the access is noaccess then we don't save it as this is the default value
// when no access are specified
if ($access != 'noaccess') {
$this->model->addUserAccess($userLogin, $access, $idSites);
} else {
if (!empty($idSites) && !is_array($idSites)) {
$idSites = array($idSites);
}
Piwik::postEvent('UsersManager.removeSiteAccess', array($userLogin, $idSites));
}
// we reload the access list which doesn't yet take in consideration this new user access
Access::getInstance()->reloadAccess();
Cache::deleteTrackerCache();
}
private function hasAccessToSameSite($login)
{
// users is allowed to see other users having view or admin access to these sites
if (!isset($this->idSitesWithAdmin)) {
$this->idSitesWithAdmin = $this->access->getSitesIdWithAdminAccess();
$this->usersWithAdminAccess = $this->model->getUsersSitesFromAccess('admin');
$this->usersWithViewAccess = $this->model->getUsersSitesFromAccess('view');
}
return isset($this->usersWithViewAccess[$login]) && array_intersect($this->idSitesWithAdmin, $this->usersWithViewAccess[$login]) || isset($this->usersWithAdminAccess[$login]) && array_intersect($this->idSitesWithAdmin, $this->usersWithAdminAccess[$login]);
}
/**
* Returns the user's API token.
*
* If the username/password combination is incorrect an invalid token will be returned.
*
* @param string $userLogin Login
* @param string $md5Password hashed string of the password (using current hash function; MD5-named for historical reasons)
* @return string
*/
public function getTokenAuth($userLogin, $md5Password)
{
UsersManager::checkPasswordHash($md5Password, Piwik::translate('UsersManager_ExceptionPasswordMD5HashExpected'));
$user = $this->model->getUser($userLogin);
if (!$this->password->verify($md5Password, $user['password'])) {
return md5($userLogin . microtime(true) . Common::generateUniqId());
}
if ($this->password->needsRehash($user['password'])) {
$this->updateUser($userLogin, $this->password->hash($md5Password));
}
return $user['token_auth'];
}
/**
* Authenticates user
*
* @return AuthResult
*/
public function authenticate()
{
if (is_null($this->login)) {
$model = new Model();
$user = $model->getUserByTokenAuth($this->token_auth);
if (!empty($user['login'])) {
$code = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $user['login'], $this->token_auth);
}
} else {
if (!empty($this->login)) {
$model = new Model();
$user = $model->getUser($this->login);
if (!empty($user['token_auth']) && ($this->getHashTokenAuth($this->login, $user['token_auth']) === $this->token_auth || $user['token_auth'] === $this->token_auth)) {
$this->setTokenAuth($user['token_auth']);
$code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $this->login, $user['token_auth']);
}
}
}
return new AuthResult(AuthResult::FAILURE, $this->login, $this->token_auth);
}
public function testSetSuperUserAccess_ShouldDeleteAllExistingAccessEntries()
{
list($id1, $id2) = $this->addSites(2);
$this->api->addUser('login1', 'password1', '*****@*****.**', false);
$this->api->setUserAccess('login1', 'view', array($id1));
$this->api->setUserAccess('login1', 'admin', array($id2));
// verify user has access before setting Super User access
$access = $this->_flatten($this->api->getSitesAccessFromUser('login1'));
$this->assertEquals(array($id1 => 'view', $id2 => 'admin'), $access);
$this->api->setSuperUserAccess('login1', true);
// verify no longer any access
$this->assertEquals(array(), $this->model->getSitesAccessFromUser('login1'));
}
protected function getUserForLogin()
{
if (empty($this->userForLogin)) {
if (!empty($this->login)) {
$this->userForLogin = $this->usersModel->getUser($this->login);
} else {
if (!empty($this->token_auth)) {
$this->userForLogin = $this->usersModel->getUserByTokenAuth($this->token_auth);
} else {
throw new Exception("Cannot get user details, neither login nor token auth are set.");
}
}
}
return $this->userForLogin;
}
/**
* Authenticates user
*
* @return AuthResult
*/
public function authenticate()
{
$logger = StaticContainer::get('Psr\\Log\\LoggerInterface');
$model = new Model();
$user = $model->getUser($this->login);
if (!$user) {
$user = $model->getUserByTokenAuth($this->token_auth);
if (!$user) {
$logger->info("Creating user " . $this->login);
$model->addUser($this->login, $this->getTokenAuthSecret(), $this->email, $this->alias, $this->token_auth, Date::now()->getDatetime());
$user = $model->getUser($this->login);
}
}
$accessCode = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
$this->login = $user['login'];
if ($this->getViewableUserStatus() || $this->getSuperUserStatus()) {
$site_ids = $this->getDefaultSiteIds();
$current_accesses = array();
foreach ($site_ids as $site_id) {
$accesses = $model->getUsersAccessFromSite($site_id);
foreach ($accesses as $user => $access) {
if ($this->login == $user && ($access == "view" || $access == 'admin')) {
$current_accesses[] = $site_id;
}
}
}
$new_accesses = array();
foreach ($site_ids as $site_id) {
if (!in_array($site_id, $current_accesses)) {
$new_accesses[] = $site_id;
}
}
if (count($new_accesses) > 0) {
$logger->info("Adding default site ids to " . $this->login);
$model->addUserAccess($this->login, "view", $new_accesses);
}
}
$is_superuser = $this->getSuperUserStatus();
$model->setSuperUserAccess($this->login, $is_superuser);
return new AuthResult($accessCode, $this->login, $this->token_auth);
}
private function createManyUsers()
{
$this->model->addUser('login1', md5('pass'), '*****@*****.**', 'alias1', md5('token1'), '2008-01-01 00:00:00');
$this->model->addUser('login2', md5('pass'), '*****@*****.**', 'alias2', md5('token2'), '2008-01-01 00:00:00');
// login3 won't have access to any site
$this->model->addUser('login3', md5('pass'), '*****@*****.**', 'alias3', md5('token3'), '2008-01-01 00:00:00');
$this->model->addUser('login4', md5('pass'), '*****@*****.**', 'alias4', md5('token4'), '2008-01-01 00:00:00');
$this->model->addUser('login5', md5('pass'), '*****@*****.**', 'alias5', md5('token5'), '2008-01-01 00:00:00');
$this->model->addUser('login6', md5('pass'), '*****@*****.**', 'alias6', md5('token6'), '2008-01-01 00:00:00');
$this->model->addUser('login7', md5('pass'), '*****@*****.**', 'alias7', md5('token7'), '2008-01-01 00:00:00');
$this->model->addUser('login8', md5('pass'), '*****@*****.**', 'alias8', md5('token8'), '2008-01-01 00:00:00');
$this->model->addUser('anonymous', '', '*****@*****.**', 'anonymous', 'anonymous', '2008-01-01 00:00:00');
$this->model->setSuperUserAccess('login1', true);
// we treat this one as our superuser
foreach ($this->users as $login => $permissions) {
foreach ($permissions as $access => $idSites) {
$this->model->addUserAccess($login, $access, $idSites);
}
}
}
/**
* Uses information in LDAP user entity to set access levels in Piwik.
*
* @param string $piwikLogin The username of the Piwik user whose access will be set.
* @param string[] $ldapUser The LDAP entity to use when synchronizing.
*/
public function synchronizePiwikAccessFromLdap($piwikLogin, $ldapUser)
{
if (empty($this->userAccessMapper)) {
return;
}
$userAccess = $this->userAccessMapper->getPiwikUserAccessForLdapUser($ldapUser);
if (empty($userAccess)) {
Log::warning("UserSynchronizer::%s: User '%s' has no access in LDAP, but access synchronization is enabled.", __FUNCTION__, $piwikLogin);
return;
}
$this->userModel->deleteUserAccess($piwikLogin);
$usersManagerApi = $this->usersManagerApi;
foreach ($userAccess as $userAccessLevel => $sites) {
Access::doAsSuperUser(function () use($usersManagerApi, $userAccessLevel, $sites, $piwikLogin) {
if ($userAccessLevel == 'superuser') {
$usersManagerApi->setSuperUserAccess($piwikLogin, true);
} else {
$usersManagerApi->setUserAccess($piwikLogin, $userAccessLevel, $sites);
}
});
}
}
protected function setReplyToAsSender(Mail $mail, array $report)
{
if (Config::getInstance()->General['scheduled_reports_replyto_is_user_email_and_alias']) {
if (isset($report['login'])) {
$userModel = new UserModel();
$user = $userModel->getUser($report['login']);
$mail->setReplyTo($user['email'], $user['alias']);
}
}
}
private function createAdminUserForSite($idSite)
{
$login = '******';
$passwordHash = UsersManager::getPasswordHash('password');
$token = API::getInstance()->getTokenAuth($login, $passwordHash);
$user = new Model();
$user->addUser($login, $passwordHash, 'admin@piwik', 'alias', $token, '2014-01-01 00:00:00');
$user->addUserAccess($login, 'admin', array($idSite));
return $token;
}
