Super User should not be able to see token_auth of other users #10938

mattab · 2016-12-01T22:32:32Z

For advanced security, we choose that Super Users should not see the token_auth of other users.

After this change, if you need to find out which Piwik user has issued a particular API request with a given token_auth value, you need to match the token_auth against the database table piwik_user.token_auth

This was initially implemented in: #4616 but we decided to revert it back in #10926 #10740 #5728

mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Dec 1, 2016

mattab added this to the 3.0.0-b4 milestone Dec 1, 2016

mattab closed this as completed Dec 1, 2016

mattab mentioned this issue Dec 1, 2016

In Personal settings page and API page, only show the full token_auth value on the screen after the user clicked #10939

Closed

davorminchorov mentioned this issue Jan 9, 2017

Can't get auth token from the Piwik API (v3) for a specific user / newly created user #11159

Closed

This was referenced Mar 27, 2017

API: UsersManager.getUser -> Result without token_auth #11513

Closed

no more 'token_auth' column in user management, seems after upgrade to 3.0.2-b4 #11390

Closed

Amunak mentioned this issue Apr 17, 2019

API tokens / "users" should be separate from regular users #14353

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Super User should not be able to see token_auth of other users #10938

Super User should not be able to see token_auth of other users #10938

mattab commented Dec 1, 2016

Super User should not be able to see token_auth of other users #10938

Super User should not be able to see token_auth of other users #10938

Comments

mattab commented Dec 1, 2016