From 9ec21c80c370ddfcb3f057008fb82bb920b1e6b2 Mon Sep 17 00:00:00 2001 From: Altamash Shaikh Date: Mon, 22 Jun 2026 14:21:46 +0530 Subject: [PATCH 1/2] Adds code to improve the access check before sending an alert, #AS-586 --- CHANGELOG.md | 1 + Processor.php | 16 ++++++++++++++++ plugin.json | 2 +- tests/Integration/ProcessorTest.php | 28 ++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f47bdb9..8128029 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ## Changelog +* 5.3.1 - 2026-06-29 - Added code to improve the access check before sending an alert * 5.3.1 - 2026-06-08 - Added restrict access check for MultiSites.getAll report for non superusers * 5.3.0 - 2026-05-11 - Added alert description and helptexts * 5.2.6 - 2026-04-27 - Updated API documentation diff --git a/Processor.php b/Processor.php index 6ca1349..fc9098c 100755 --- a/Processor.php +++ b/Processor.php @@ -18,6 +18,7 @@ use Piwik\Piwik; use Piwik\Plugins\API\ProcessedReport; use Piwik\Scheduler\RetryableException; +use Piwik\Plugins\SitesManager\API as SitesManagerApi; use Piwik\Site; /** @@ -185,6 +186,10 @@ private function shouldBeProcessed($alert, $idSite) return false; } + if (!$this->hasViewPermissionForAlertOwner($alert, $idSite)) { + return false; + } + if (!$this->validator->isValidComparableDate($alert['period'], $alert['compared_to'])) { // actually it would be nice to log or send a notification or whatever that we have skipped an alert return false; @@ -198,6 +203,17 @@ private function shouldBeProcessed($alert, $idSite) return true; } + protected function hasViewPermissionForAlertOwner(array $alert, int $idSite): bool + { + if (empty($alert['login'])) { + return false; + } + + $idSitesUserHasAccess = SitesManagerApi::getInstance()->getSitesIdWithAtLeastViewAccess($alert['login']); + + return !empty($idSitesUserHasAccess) && in_array($idSite, $idSitesUserHasAccess); + } + private function reportExists($idSite, $report, $metric) { try { diff --git a/plugin.json b/plugin.json index d9bec1d..3aebc79 100644 --- a/plugin.json +++ b/plugin.json @@ -1,7 +1,7 @@ { "name": "CustomAlerts", "description": "Create custom Alerts to be notified of important changes on your website or app! ", - "version": "5.3.1", + "version": "5.3.2", "require": { "matomo": ">=5.0.0-b1,<6.0.0-b1" }, diff --git a/tests/Integration/ProcessorTest.php b/tests/Integration/ProcessorTest.php index 38e63fc..77f9ff5 100644 --- a/tests/Integration/ProcessorTest.php +++ b/tests/Integration/ProcessorTest.php @@ -73,6 +73,11 @@ public function restrictMultiSitesReportToAlertOwner(array $params, array $repor { return parent::restrictMultiSitesReportToAlertOwner($params, $report, $alert); } + + public function hasViewPermissionForAlertOwner(array $alert, int $idSite): bool + { + return parent::hasViewPermissionForAlertOwner($alert, $idSite); + } } /** @@ -544,6 +549,7 @@ private function buildAlert( ) { return array( 'idalert' => 1, + 'login' => 'superUserLogin', 'period' => $period, 'id_sites' => $idSites, 'metric_condition' => 'increase_more_than', @@ -600,6 +606,28 @@ public function test_processAlert_shouldNotRun_IfWebsiteDoesNotMatch() $this->assertProcessNotRun($alert, array(99, 85)); } + public function test_processAlert_shouldNotRun_IfAlertOwnerNoLongerHasViewAccess() + { + $alert = $this->buildAlert([1]); + + $processorMock = $this->getMockBuilder('Piwik\Plugins\CustomAlerts\tests\Integration\CustomProcessor') + ->setMethods(['hasViewPermissionForAlertOwner', 'getValueForAlertInPast', 'triggerAlert']) + ->getMock(); + + $processorMock->expects($this->once()) + ->method('hasViewPermissionForAlertOwner') + ->with($this->equalTo($alert), $this->equalTo(1)) + ->will($this->returnValue(false)); + + $processorMock->expects($this->never()) + ->method('getValueForAlertInPast'); + + $processorMock->expects($this->never()) + ->method('triggerAlert'); + + $processorMock->processAlert($alert, 1); + } + public function test_processAlert_shouldOnlyBeTriggeredIfAlertMatches() { $alert = $this->buildAlert(array(1), 'MultiSites_getAll', 'nb_visits', '5', 'day', $comparedTo = 7); From adfe6e87d07be08644ff2439e2b9ce2587b092b6 Mon Sep 17 00:00:00 2001 From: Altamash Shaikh Date: Tue, 23 Jun 2026 07:11:13 +0530 Subject: [PATCH 2/2] Fixes changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8128029..08b6008 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ## Changelog -* 5.3.1 - 2026-06-29 - Added code to improve the access check before sending an alert +* 5.3.2 - 2026-06-29 - Added code to improve the access check before sending an alert * 5.3.1 - 2026-06-08 - Added restrict access check for MultiSites.getAll report for non superusers * 5.3.0 - 2026-05-11 - Added alert description and helptexts * 5.2.6 - 2026-04-27 - Updated API documentation