Super User should not be able to see token_auth of other users #10938
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
For advanced security, we choose that Super Users should not see the token_auth of other users.
After this change, if you need to find out which Piwik user has issued a particular API request with a given token_auth value, you need to match the token_auth against the database table piwik_user.token_auth
This was initially implemented in: #4616 but we decided to revert it back in #10926 #10740 #5728
The text was updated successfully, but these errors were encountered: