@Findus23 opened this Issue on December 3rd 2018 Member

Steps to reproduce

You need one superuser and another user that has only view access.

  1. Try to access an API that needs superuser access with the token_auth of the read-only-user.
    https://matomo.lw1.at/index.php?module=API&method=UsersManager.getUsers&format=JSON&token_auth=READONLYTOKEN

As expected you get an error: You can't access this resource as it requires admin access for at least one website.

  1. Now open the same URL (with the same token_auth of the read-only-user) in a browser tab where you are logged in as a superuser. Now the URL shows the user data.

This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a token_auth is provided.

@Findus23 commented on December 3rd 2018 Member

Update: Found a Matomo instance that was stil using 3.6.1 and it was working fine there.
https://github.com/matomo-org/matomo/pull/13554 was the only change that affects sessions, so I guess it has caused the bug.

Powered by GitHub Issue Mirror