Really looks promising but not able to use it until…

It’s going to allow access to anything on the Google account you authenticate with. If you want to restrict their access to just their Google Analytics properties, you should authenticate with their Google account, not yours.

It’s also a potential security issue if you were to just hide the other properties after picking one. Because internally it would still need to store the OAuth token that is for your entire account which you would be basically turning over to the end user.

Definitely going to be better security-wise to use the user’s Google account rather than the “master” one that has access to everything if the user has the ability to edit settings in the WP install.

There is no google account for the client. It’s one admin account for different clients.

In one eye it may be a security risk but for the administration it’s way more helpful and there is no ability to manipulate the data via the google api, right?

If we would go your suggested way, we would need way more email addresses to create the GA accounts which are not used by the client. And for security reasons ?? we don’t access their email data.

How much access are you giving the clients? Like do they have any reporting ability at all within the normal Google Analytics interface here? https://www.google.com/analytics/

Purely from a theoretical security standpoint, you could actually do a lot of “bad things” if you wanted to with the API token that it stores internally. For example they could access all reports for all web properties. If someone was being super malicious they could simply delete all the web properties on the Google Analytics account (although I believe Google Analytics doesn’t fully commit a deletion for 30 days, so that has an “undo” option for 30 days).

You could of course prevent the web property from being changed at the user interface level, but it still would have the underlying “keys to the kingdom” being stored internally in WordPress (the token) which *probably* would be fine, but purely from a security standpoint is scary when you are turning those keys over to all clients and more or less just telling them not to do anything bad with them.

There’s the smaller issue as well where you need to somehow handle if someone picked the wrong web property initially. If the whole point is to only allow selection once, how do you allow them to change it when it was initially set as a mistake?

Do the clients have full admin access to the WordPress interface? The best solution that I can think of would be to allow certain settings (like picking the web property for reporting) to be done by users with the highest security/role, and then let lower tier users still able to view reports, but not get in and muck with the settings.

Like do you let them change other settings or do things like edit theme files?

You can find an outline of WordPress roles/permissions here: https://codex.www.ads-software.com/Roles_and_Capabilities

The client itself has only the report in the dashboard. They dont get the account details nor do they need more than just the basics.

That’s what the plugin usage is for. Simple task, easy to administrate.

I understand that you talk and care much about security but in a system which is vulnerable sometimes, one plugin doesn’t make the difference to me. If it’s working that way: perfect. But if there is a need for compromises I will accept them.

Reducing the ability for the user is a great idea. Maybe it’s one feature that will stand out. The WP users want everything clean and simple – thats what I’ve learned in the last couple of years.

A “reset button” is easy to implement. Remove the token, ask for a new auth. That’s all.

I’m with phloo on this one, with regards to managing client sites. Even if there is a security issue with “hiding” the account selection box after authentication, in this case, security through obscurity is better than nothing.

One suggestion, as a couple of other GA plugins do, would be to add an option to disable that settings screen (or all settings) for all but a single administrator account. This way I would be the only one able to access those settings and the client could not change properties. I’m not worried about malicious actions so much as I am about misconfiguration or mistakes made by other admins who accidentally change a setting.

I understand your stance, but I think it would be nice to at least have the option.

An option to limit access to all settings to just the currently viewing admin account seems like a more workable solution (since I can see cases where someone wouldn’t want the client messing with *any* settings, not just the API settings).

That option has been added to the source for the next release (will be in 1.1.3).