Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmented visitor log export fails due to lack of token_auth #10147

Closed
mgonera opened this issue May 12, 2016 · 4 comments
Closed

Segmented visitor log export fails due to lack of token_auth #10147

mgonera opened this issue May 12, 2016 · 4 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently.
Milestone
Backlog (Help wan...

Comments

@mgonera
Copy link

mgonera commented May 12, 2016
edited

2.16.0 Scenario reproduced on Chrome:

  1. Go to Actions->Events
  2. Open segmented visitor log for some event
  3. Scroll down
  4. Open export bar
  5. TSV link is in scope here. If you right-click it, you will get something like:

https://domain.com/index.php?module=API&method=Live.getLastVisitsDetails&format=TSV&idSite=4&period=day&date=2016-05-10&expanded=1&translateColumnNames=1&language=en&segment=eventCategory==Some_value

  1. So, copying such a link and pasting it in new tab causes message about lack of permissions, because it's missing token_auth parameter.
  2. Now just click this link, allow the file to download.
  3. Now, if you right click it and use "Copy link address", you will get the same link but enhanced with token_auth and filter_limit:

https://domain.com/index.php?module=API&method=Live.getLastVisitsDetails&format=TSV&idSite=4&period=day&date=2016-05-10&expanded=1&translateColumnNames=1&language=en&segment=eventCategory==Some_value&token_auth=token_auth_here&filter_limit=20

  1. Now such link will work if copied and pasted in another window. Cool. But here comes the fun part:
  2. Just click the link once again and allow file to be downloaded once again.
  3. Right click the link and copy it now. Now, it willhave token_auth and filter_limit added 2 times. This can go on and on.

Basic issue is that after first entering of the segmented visitor log, right-clicked copied link doesn't work straight away. But I see there is some bigger problem connected with that and I believe it may be generic to all segmented visitor logs view or maybe some more reports which can be exported.
@tsteur
Copy link
Member

tsteur commented May 12, 2016

This is currently expected behaviour and was added because of #2701 in 7f07937 by the looks. This should be the behaviour for all of our export links no matter where.

Maybe we could also listen on right click and modify the link in such a case. I presume there should not be any risk for it

@tsteur tsteur added the Bug For errors / faults / flaws / inconsistencies etc. label May 12, 2016
@mgonera
Copy link
Author

mgonera commented May 12, 2016

Thanks @tsteur for clearing it out, now I understand. Are you aiming to fix it in next version?

@tsteur
Copy link
Member

tsteur commented May 12, 2016

Probably not as it's not a critical bug that could lead to data loss or something. This would be usually more like something for mid term as it still works in general

@mgonera mgonera mentioned this issue May 25, 2016
Closed
@tsteur tsteur added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label May 25, 2016
@mattab mattab added c: Usability For issues that let users achieve a defined goal more effectively or efficiently. and removed Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels May 27, 2016
@mattab mattab added this to the Mid term milestone May 27, 2016
@sgiehl sgiehl mentioned this issue May 31, 2016
Closed
@mattab mattab added the PP label Jul 8, 2016
@mattab mattab modified the milestones: 2.16.x (LTS), Mid term Jul 8, 2016
@mattab mattab removed the PP label Jul 14, 2016
@mattab mattab modified the milestones: Mid term, 2.16.x (LTS) Aug 3, 2016
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Aug 3, 2016
@mattab
Copy link
Member

mattab commented Sep 25, 2018

The new "Copy Export URL" feature was introduced recently fixing this issue.

@mattab mattab closed this as completed Sep 25, 2018
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Sep 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
3 participants
@tsteur @mattab @mgonera