Show OAuth2 management link only for superusers (#57)

Author: mneudert

CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Changelog
 
+### Unreleased
+
+- Updated the connect guidance so only superusers see the OAuth2 client management link, while other users are told to contact a superuser.
+
 ### 5.0.2
 
 - Disabled anonymous access to the MCP API endpoint and connect guidance page.

Controller.php

@@ -31,9 +31,12 @@ public function connect(): string
         $view = new View('@McpServer/connect');
         $this->setBasicVariablesView($view);
 
+        $hasSuperUserAccess = Access::getInstance()->hasSuperUserAccess();
+
         $view->assign('isMcpEnabled', $this->systemSettings->isMcpEnabled());
         $view->assign('isOAuth2Enabled', $this->systemSettings->isOAuth2PluginEnabled());
-        $view->assign('canAccessMcpSettings', Access::getInstance()->hasSuperUserAccess());
+        $view->assign('canAccessMcpSettings', $hasSuperUserAccess);
+        $view->assign('canManageOAuth2Clients', $hasSuperUserAccess);
         $view->assign('mcpApiEndpoint', $this->getMcpApiEndpointUrl());
         $view->assign('mcpSettingsUrl', $this->getMcpSettingsUrl());
         $view->assign('oauth2ClientManagementUrl', $this->getOAuth2ClientManagementUrl());

lang/en.json

@@ -22,9 +22,11 @@
         "ConnectNeedAuthMethod": "A compatible MCP client that supports your chosen authentication method",
         "ConnectNeedEndpoint": "The MCP server endpoint (URL)",
         "ConnectNeedOAuth2Client": "An OAuth2 client configured for your Matomo if you want to connect using OAuth2",
+        "ConnectNeedOAuth2ClientNoPermission": "An OAuth2 client configured by a Matomo superuser if you want to connect using OAuth2",
         "ConnectNeedToken": "A Matomo %1$stoken_auth%2$s (used as a Bearer token)",
         "ConnectNeedTokenAlternative": "A Matomo %1$stoken_auth%2$s if you want to connect using token-based authentication",
         "ConnectOAuth2HelpLink": "OAuth2 is available for this MCP Server because the Matomo OAuth2 plugin is installed and enabled. If you do not already have an OAuth2 client for your MCP client, create one in %1$sAdministration -> Platform -> OAuth2 Clients%2$s first. OAuth2 allows you to use a dedicated client and can provide more granular access control.",
+        "ConnectOAuth2HelpNoPermission": "OAuth2 is available for this MCP Server because the Matomo OAuth2 plugin is installed and enabled. If you do not already have an OAuth2 client for your MCP client, ask a Matomo superuser to create one for you. OAuth2 allows you to use a dedicated client and can provide more granular access control.",
         "ConnectOAuth2Title": "Recommended: Connect Using OAuth2",
         "ConnectPageTitle": "How to Connect to the MCP Server",
         "ConnectTokenAlternativeTitle": "Alternative: Connect Using token_auth",

templates/connect.twig

@@ -24,7 +24,11 @@
                 <ul class="browser-default">
                     <li>{{ 'McpServer_ConnectNeedEndpoint'|translate }}</li>
                     {% if isOAuth2Enabled %}
-                        <li>{{ 'McpServer_ConnectNeedOAuth2Client'|translate }}</li>
+                        {% if canManageOAuth2Clients %}
+                            <li>{{ 'McpServer_ConnectNeedOAuth2Client'|translate }}</li>
+                        {% else %}
+                            <li>{{ 'McpServer_ConnectNeedOAuth2ClientNoPermission'|translate }}</li>
+                        {% endif %}
                         <li>{{ 'McpServer_ConnectNeedAuthMethod'|translate }}</li>
                         <li>{{ 'McpServer_ConnectNeedTokenAlternative'|translate('<code>', '</code>')|raw }}</li>
                     {% else %}
@@ -82,7 +86,11 @@
             {% if isOAuth2Enabled %}
                 <h3>{{ 'McpServer_ConnectOAuth2Title'|translate }}</h3>
                 <p>
-                    {{ 'McpServer_ConnectOAuth2HelpLink'|translate('<a href="' ~ oauth2ClientManagementUrl|escape('html_attr') ~ '">', '</a>')|raw }}
+                    {% if canManageOAuth2Clients %}
+                        {{ 'McpServer_ConnectOAuth2HelpLink'|translate('<a href="' ~ oauth2ClientManagementUrl|escape('html_attr') ~ '">', '</a>')|raw }}
+                    {% else %}
+                        {{ 'McpServer_ConnectOAuth2HelpNoPermission'|translate }}
+                    {% endif %}
                 </p>
                 <h3>{{ 'McpServer_ConnectTokenAlternativeTitle'|translate }}</h3>
                 <p>{{ 'McpServer_ConnectInClientTokenHelpAlternative'|translate('<code>', '</code>', '<a href="' ~ userSecurityUrl|escape('html_attr') ~ '">', '</a>', '<code>', '</code>')|raw }}</p>

tests/UI/McpServer_spec.js

@@ -254,7 +254,7 @@ describe('McpServer', function () {
         expect(await page.$(`${connectSelector} a[href*="module=CoreAdminHome"][href*="action=generalSettings"]`)).to.equal(null);
     });
 
-    it('should display OAuth2 guidance when the OAuth2 plugin is enabled', async function () {
+    it('should display OAuth2 client management guidance for superusers when the OAuth2 plugin is enabled', async function () {
         await configureMcp(true);
         testEnvironment.mockOAuth2PluginEnabled = 1;
         testEnvironment.save();
@@ -286,4 +286,24 @@ describe('McpServer', function () {
 
         expect(await page.screenshotSelector(connectSelector)).to.matchImage('connect_oauth2');
     });
+
+    it('should display contact-superuser OAuth2 guidance for view users when the OAuth2 plugin is enabled', async function () {
+        await configureMcp(true);
+        testEnvironment.mockOAuth2PluginEnabled = 1;
+        testEnvironment.save();
+        setViewUser();
+
+        await page.goto(connectUrl);
+        await page.waitForNetworkIdle();
+        await page.waitForSelector(connectSelector, { visible: true });
+
+        const text = await getConnectText();
+
+        expect(text).to.contain('OAuth2 is available for this MCP Server and is the recommended way to connect.');
+        expect(text).to.contain('Recommended: Connect Using OAuth2');
+        expect(text).to.contain('An OAuth2 client configured by a Matomo superuser if you want to connect using OAuth2');
+        expect(text).to.contain('If you do not already have an OAuth2 client for your MCP client, ask a Matomo superuser to create one for you.');
+        expect(text).to.not.contain('If you do not already have an OAuth2 client for your MCP client, create one in Administration -> Platform -> OAuth2 Clients first.');
+        expect(await page.$(`${connectSelector} a[href*="module=OAuth2"][href*="action=index"]`)).to.equal(null);
+    });
 });