From 0ec29deb555f911b0aafda033904991164e8c90e Mon Sep 17 00:00:00 2001
From: Altamash Shaikh <altu9594@gmail.com>
Date: Thu, 11 Jun 2026 07:40:30 +0530
Subject: [PATCH] Adds code to enforce View access on the  controller action,
 #AS-560

---
 CHANGELOG.md   | 2 +-
 Controller.php | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cae74bd2..f795cc21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,8 @@
 ## Changelog
 
-
 # 5.1.9 - 2026-06-22
 - Upgrade packages: guzzle to 7.10.1, psr7 to 2.10.4 & promises to ^2.3,
+- Enforce View access on the `pendingImports` controller action
 
 # 5.1.8 - 2026-05-25
 - Upgraded phpseclib package to 3.0.52
diff --git a/Controller.php b/Controller.php
index 612cece4..9294e487 100644
--- a/Controller.php
+++ b/Controller.php
@@ -475,6 +475,8 @@ private function getNotificationExceptionText(\Exception $e)
     }
     public function pendingImports()
     {
+        $idSite = Common::getRequestVar('idSite', -1, 'int');
+        Piwik::checkUserHasViewAccess($idSite);
         $pendingImports = \Piwik\Plugins\GoogleAnalyticsImporter\GoogleAnalyticsImporter::canDisplayImportPendingNotice();
         return json_encode($pendingImports);
     }