Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Widgetized Dashboard accessed with token is no longer working after updating to 3.0 #11055

Closed
aguarsk opened this issue Dec 20, 2016 · 4 comments
Labels
Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Milestone

Comments

@aguarsk
Copy link

aguarsk commented Dec 20, 2016

Hi!

I just updated to version 3.0 but I had a widgetized Dashboard accessed with the token as a parameter in the link, like this: http://www.webpage.com/index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&idSite=5&period=week&date=yesterday&token_auth=TOKEN

Dashboard opens, but all the widgets in it says that you can access it, that it is required a view access to the internet site. And tells me to log in.

This was working perfectly before the update, the user (with the token) has the view privileges to the site.

Any help will be appreciated, thanks!

@aguarsk aguarsk changed the title Widgetized Dashboard access with token is no longer working after updating to 3.0 Widgetized Dashboard accessed with token is no longer working after updating to 3.0 Dec 22, 2016
@mattab mattab added the Regression Indicates a feature used to work in a certain way but it no longer does even though it should. label Dec 26, 2016
@aguarsk
Copy link
Author

aguarsk commented Dec 29, 2016

UPDATE:

In the 3.0 Piwik changelog says:

### New APIs

* The JavaScript AjaxHelper has a new method `ajaxHelper.withTokenInUrl()` to easily send a token along a XHR. Within the Controller the existence of this token can be checked via `$this->checkTokenInUrl();` to prevent CSRF attacks.

Also, in the core controller's principal class (core/Plugin/Controller.php), the new API function says:

/**
 * Checks that the token_auth in the URL matches the currently logged-in user's token_auth.
 *
 * This is a protection against CSRF and should be used in all controller
 * methods that modify Piwik or any user settings.
 *
 * If called from JavaScript by using the `ajaxHelper` you have to call `ajaxHelper.withTokenInUrl();` before
 * `ajaxHandler.send();` to send the token along with the request.
 *
 * **The token_auth should never appear in the browser's address bar.**
 *
 * @throws \Piwik\NoAccessException If the token doesn't match.
 * @api
 */
protected function checkTokenInUrl()

But, there are are ajax petitions (ajaxRequest.send) in the Dashboard plugin javascript (plugins/Dashboard/javascripts/widgetMenu.js) that do not invoke the token.
If I add what the new API suggests, it works, the problem is know in which other plugins have the same problem.

@mattab
Copy link
Member

mattab commented Jan 2, 2017

Thanks for the report @aguarsk - maybe you could submit a pull request to solve (or partially solve) this issue ?

@mattab
Copy link
Member

mattab commented Jan 3, 2017

This will be fixed in the next release 3.0.1-b3

@mattab mattab closed this as completed Jan 3, 2017
@aguarsk
Copy link
Author

aguarsk commented Jan 4, 2017

Thanks, guys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Projects
None yet
Development

No branches or pull requests

2 participants