google / site-kit-wp

Site Kit is a one-stop solution for WordPress users to use everything Google has to offer to make them successful on the web.
https://sitekit.withgoogle.com
Apache License 2.0
1.25k stars 291 forks source link

WordPress non-administrator user access to Site Kit settings #852

Closed ernee closed 1 year ago

ernee commented 4 years ago

User provided request for WordPress non-administrator access (particularly editor role access) to Site Kit settings in the support forums. Use case example can be found in the topic as well.


Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

Implementation Brief

Changelog entry

ThierryA commented 4 years ago

Thanks Renee for reporting this enhancement request. We will revisit this in due time, no ETA at this stage.

ooksanen commented 4 years ago

A quick workaround for this is to give editor role the "manage_options" capability. Obvious downside is that all editors will be able to manage site settings (Reading, Writing, Permalinks etc...) which might not be plausible for everyone.

I think Site Kit should use its own custom capabilities (ex. manage_sitekit_options, read_analytics_data, read_pagespeed_data etc.) to enable fine grained management of user rights as you might want to show different data to admins, editors and authors.

PerrySheppard commented 4 years ago

A quick workaround for this is to give editor role the "manage_options" capability. Obvious downside is that all editors will be able to manage site settings (Reading, Writing, Permalinks etc...) which might not be plausible for everyone.

I think Site Kit should use its own custom capabilities (ex. manage_sitekit_options, read_analytics_data, read_pagespeed_data etc.) to enable fine grained management of user rights as you might want to show different data to admins, editors and authors.

Oskari and Thierry,

I added the 'manage_options' to the 'Editor' profile using the 'User Role Editor' plugin, but on my test account it's defaulting back to "The Site Kit plugin is active but requires setup". My admin profile shows Site Kit functioning properly. Note that my test profile doesn't use a gmail account as the default email address. An active Editor on the site was granted some access, but not all after I added the 'manage_options' capability (she's using a gmail account).

Do you happen to know if there are additional capabilities that need to be allowed to make site kit work for non-admins? It's a small site, but I'd prefer not to grant admin access to those who don't really need it.

PerrySheppard commented 4 years ago

I think I've resolved this issue. It appears that in addition to adding the 'manage_options' capability to the Editor profile, the email address used in the WP profile is required to be a gmail address and, I suspect but can't be certain, that the gmail user needs to be added to the appropriate google properties (GA, SC, etc.) at least at the "view data" level in those properties. I also noticed that if I changed a user's access rights (Editor>Admin or Admin>Editor) that I had to deactivate and reactivate the user rights plugin to reset their access. Not entirely certain about that though as there were a number of confounding issues (cache hanging on, disabled plugins, Site Kit updating in the midst of my troubleshooting, etc.). Anyway, it appears to be functioning now. Sidenote: it seemed that Search Console needed an additional verification on the Search Console website. Again, not sure, but wanted to pass this on in case it helps with troubleshooting for others.

ThierryA commented 4 years ago

Hi @PerrySheppard,

Great that you are trying to modularize the plugin to your needs. Note that we do not currently have a built-in way to add support for it and can't guaranty that your changes will work in the future. You are welcome to hack Site Kit but at your own risk.

Thanks,

razorfrog commented 4 years ago

It really would be great if GSK used custom capabilities instead of manage_options like @ooksanen suggested above. There are surprisingly few good backend analytics plugins right now!

sleepless-ninja commented 4 years ago

I just want to add another voice to this.

Maybe we could have a hook that allows us to add roles in order to grant access to the setup?

I think that would be the lesser of all else.

bonnellyk commented 4 years ago

We would also be highly interested in this feature. We are currently using another plugin to display the data to the Editor users and would greatly appreciate to only use Site Kit. Having the opportunity to show/hide the different sections to the non-administrators would be awesome. Thanks and Regards

matvez93 commented 4 years ago

We want to use your extension for all of our customers, are you planning to develop this feature soon?

logicelf commented 4 years ago

+1 for this. Site Kit is great, and we'd like to use it across our sites - but like a lot of WP houses, we run in SaaS mode and give Editor logins (with user management caps) to our clients.

For Site Kit to replace third-party solutions, it really has to be accessible to users other than admins.

tobartels commented 4 years ago

+1 for this. restricting access to only the admin that installed it, makes this very nice plugin very impractical. had to de-install it again because team couldnt access and its not possible to change all wp accounts to Gmail adresses.

mikesale commented 4 years ago

Views are useless if only an admin can see them, they'll end up going to the full website anyway. Please create a read capability!

Extra cool level of access: Option to let Authors and/or Editors can see any page/url specific content from Site Kit, but not overall site metrics.

eduardogoncalves commented 4 years ago

Awesome ideia @mikesale!

Buildbetter commented 4 years ago

+1

jumzoid commented 4 years ago

+1 Yes please to Editor role access

ghost commented 4 years ago

+17 - number of client website looking to see stats on their WP dashboard.

All these clients have editor access so a read-only access level for editors, at least, is essential for this to become a meaningful plugin beyond just setting up integration codes and scripts.

However, lovely plugin, lovely interface, dead easy to use - thank you

tareq1988 commented 4 years ago

I hope this feature gets implemented very soon. Already this issue is due for 7 months.

Giving the editors access to see only the analytics would be cool.

ThierryA commented 4 years ago

Thanks all for your feedback. Circling back on this thread, are carefully all your feedback on an ongoing basis, however there is currently not ETA for this feature request.

Already this issue is due for 7 months.

Important to note that we track and value all feature requests, however this does not mean they are "due" 😉

Supanaught commented 4 years ago

+1 for this

Echoing @OandB's comment, it's a great plugin but without Editor / Shop Manager access I still need to direct clients to theiur analytics account for any reporting requirements.

bozzmedia commented 4 years ago

Seems to be related to this issue https://github.com/google/site-kit-wp/issues/6?fbclid=IwAR0kWQ2hQ_VGgVzsiUZh2Q6wgZ8R3zdpqyZBomXQ6WYPi6r8LDryjb5o7mc

Frustrating to discover this after moving a number of sites to Site Kit. Here's hoping for a potential fix soon.

timotheemoulin commented 4 years ago

A read only access to the stats for the editors (or any other custom role) is required for most agencies to one day consider using this plugin.

@ThierryA if you would consider this as an interesting feature, maybe you could let some instructions for a PR?

Those capabilities are already mapped to user caps, but I can't figure out if there is any way to make it work.

<?php
final class Permissions {
    /*
     * Custom primitive capabilities.
     */
    const AUTHENTICATE = 'googlesitekit_authenticate';
    const SETUP = 'googlesitekit_setup';
    const VIEW_POSTS_INSIGHTS = 'googlesitekit_view_posts_insights';
    const VIEW_DASHBOARD = 'googlesitekit_view_dashboard';
    const VIEW_MODULE_DETAILS = 'googlesitekit_view_module_details';
    const MANAGE_OPTIONS = 'googlesitekit_manage_options';
    const PUBLISH_POSTS = 'googlesitekit_publish_posts';

    /*
     * Custom meta capabilities.
     */
    const VIEW_POST_INSIGHTS = 'googlesitekit_view_post_insights';
Buildbetter commented 4 years ago

They should make this option and everybody to select what access to allow to different roles. But i thing they what other stuff, to take and spy more google accounts, so in one site they want to spy all google accounts who manage or view statistics for this site! This is very bad practice!

ThierryA commented 4 years ago

@timotheemoulin the technical implementation requires quite a bit of work but isn't the only concern.

The main concern is security and privacy as some data are sensitive. At the moment Site Kit respects each Google Services account permission. When a user connect to Site Kit with a Google account, that account has to have access to the respective Google Services in order to see the data. If we were to change that, it would essential translate to "allow other WordPress users to use my connected account to view data on my behalf (aka act as me)" which opens the door to all sort of security leaks as these users are not logged as Google users and verified for the given domain.

From a technical perspective, API requests are made on behalf of the logged in user. Allowing to make request on behalf of one user only may cause scalability issues due to quotas and again, it is very bad security practices.

Rest assured that we are taking your feedback in consideration and exploring solutions. At this stage, we mainly exploring to allow non WP admin to use Site Kit (they would still have to have access to Google Services for the reason above though).

If you are an agency setting up Site Kit for clients, I would advise the following:

For the client, the only thing which is required is to user their account to connect to Site Kit.

In an ideal world, login forms wouldn't exist which it would make life much easier for everyone. However security and privacy is crucial and while we try to simplify things as much as possible (and will continue to do so), there are things which we can't just ignore for the sake of simplicity.

I hope that makes more sense.

@Buildbetter I hope the explanation above adds clarity as why just allowing everyone to access potentially sensitive data is not as trivial as one would imagine.

timotheemoulin commented 4 years ago

Thanks for the in-depth explanation.

I totally agree that giving an access to the Google account API key to multiple users is bad practice if they were to have write access to the API.

The way I see it is that it's not the user per se who is viewing the data (which might require a dedicated API key), but more the WP application which is fetching data and should be configured in a way that we can grant access to some features to a group of people.

I fear that if people cannot grant access to a read only representation of the data (just like we would add more people to the same Analytics account, property or view. They will either not use the plugin or worse, use a single admin account and thus bypassing everything that is right to do on a security level.

Could one solution be that instead of using a full "Google login process" to authenticate the user, we allow to use an API key like the one we would have when using directly the API? https://developers.google.com/analytics/devguides/reporting/core/v4/quickstart/service-php?hl=fr

timotheemoulin commented 4 years ago

If you are an agency setting up Site Kit for clients, I would advise the following:

  • If the client doesn't not have a Google account, ensure one is created by the client (or the agency to create one for them which I would not necessarily recommend)
  • Agency setup Site Kit and activate the relevant modules
  • Agency add client account to all Google Services (grant access)
  • Agency walk the client through Site Kit connect step

This is exactly what we are doing, but the issue we are facing is that the user MUST be an administrator to have access to the Site Kit plugin, which is unacceptable for most of us as it would allow the user to have a full access on the WordPress app. Are we missing something?

logicelf commented 4 years ago

This issue is becoming needlessly complex. Two things are true here:

  1. Site owners/managers/content managers require access to GA.
  2. Many site owners/managers/content managers are not using the WP Administrator role.

There are no security concerns here - the security model already exists in GA, and is the only one which is relevant. If the user can sign into a GA account from the plugin, they will see whatever they have permission to see.

The only issue here is that the plugin is doing an additional, arbitrary, completely unnecessary permission check against WP user capabilities - which is a wholly unrelated set of permissions.

The only change that is necessary here is to remove that check. That's it. If they can sign into a GA account, and that GA account has permissions to see the data for that domain, that user should be able to see the data for that domain. WP user roles and capabilities are utterly irrelevant - and as WP devs, we have myriad ways of preventing either the built-in user roles, or roles of our own creation, from seeing the Dashboard widget if we so choose.

timotheemoulin commented 4 years ago

Another true thing

  1. The plugin is requesting write access to the Google Analytics properties which IMO is absolutely not what we need it to do.

Can @ThierryA tell us why you need the plugin to have such high privileges on the Analytics account only to retrieve the data? I didn't went really far using the plugin, but (at least for Analytics) there seems to be no need for such privileges.

Buildbetter commented 4 years ago

Ok, let see the standard mass use case, we create a business site for a small company, there is two roles - administrator and editor, they both need to see statistics, the company give us a google account to setup their statistics. Is it possible to have a checkbox in the options give access to edtor to see statistics. That is simple and useful.

PauKokura commented 4 years ago

+1 This is a real need.

mredodos commented 4 years ago

+1

is awesome if add some specific capabilities for the plugin, so we can decide who to give or not access to the console and the plugin. currently any user with manage_option can reset the plugin and that's not a good thing.

ngxson commented 4 years ago

+1

I really need this feature. On my site, one one admin can use site kit and that's very painful. I mentioned this issue on https://github.com/google/site-kit-wp/issues/1568 but they seem to ignore that.

thomasjulienalain commented 4 years ago

+1 really needed !

ThierryA commented 4 years ago

Thanks all for your comments!

Let's make a distinction between "allowing non WP admins to use Site Kit" (this issue https://github.com/google/site-kit-wp/issues/852) and "share data of the dashboard with other WP users (non Google logged in users)" (https://github.com/google/site-kit-wp/issues/6) which will make the conversation easier (I realize that my last answer overlapped the two topics too).

Let me step back and add some context about the reason Site Kit is currently limited to admins. From a security perspective, WordPress sites/environments are regarded as non trusted. By that I mean that we cannot guaranty that a request is made from Site Kit plugin itself and more importantly, we need to have a proof that the domain who a user claim to have access to is really the case. To address this security concern, Site Kit requires the site to be verified which we automate during step 1 of the setup. Currently every Site Kit users need to be verified which should only be limited to admin users due to access implication as a verified user for a domain.

Changing the above is not as trivial as simply removing the WP permission check, we have to think about an alternative to our current verification process. We currently have to potential solutions in mind:

Of course the above are still being discuss and will need a thorough security and privacy review.

Trust that we will continue updating this thread as we make progress.

ThierryA commented 4 years ago

Another true thing

  • The plugin is requesting write access to the Google Analytics properties which IMO is absolutely not what we need it to do.

Can @ThierryA tell us why you need the plugin to have such high privileges on the Analytics account only to retrieve the data? I didn't went really far using the plugin, but (at least for Analytics) there seems to be no need for such privileges.

@timotheemoulin this is no longer the case as from version 1.9.0 (see issue https://github.com/google/site-kit-wp/issues/1566), write access is now only requested when needed and only for the user who is doing an action which needs write access (during setup for example).

MasterKhatri commented 4 years ago

Even after enabling "manage_options" capability for editor user role, the editor is still not being able to access the analytics page. Can anybody please share a working workaround?

LoicDelahais commented 4 years ago

+1

mlopezcoria commented 4 years ago

I totally agree with this request. I't really 'a must' to allow other user roles (at least Editor) to view SK data. Just that: to visualize, not to edit settings.

studiocachet commented 4 years ago

+1 A 'simple' view for the client would be sufficient

DhrRob commented 4 years ago

+1.

The whole reason I installed this, was to easily display Google statistics to clients who don't understand how to log in to Google Analytics. However, this seems not possible so had to delete it again.

ghost commented 4 years ago

Yeah, we have removed it from all of our installs as well.

mlopezcoria commented 4 years ago

Yeah, we have removed it from all of our installs as well.

We did it, too.

logicelf commented 4 years ago

Ditto - this just isn't an acceptable end-user experience right now.

archon810 commented 3 years ago

Related: #827, but it was closed in favor of #6.

digi4care commented 3 years ago

Still editor has no view acces to the sitekits dasboard

veylau commented 3 years ago

Same question! It would be great!

kskonovalov commented 3 years ago

+1

jas8522 commented 3 years ago

Yet another +1 here...

iamandrewpeters commented 3 years ago

Another +1. The whole reason I have looked at switching to site kit is the ease of setup plus the views for clients with an editor role and manage options capability. This seems like a no-brainer?

vlastimilott commented 3 years ago

+1 pls

mxbclang commented 3 years ago

Thanks, all, for your upvotes and requests here. Non-admin user access is still on our radar as a future improvement, but we don't have a specific timeline for implementation at this time.