Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API uses session instead of token_auth #13795

Closed
Findus23 opened this issue Dec 3, 2018 · 3 comments
Closed

API uses session instead of token_auth #13795

Findus23 opened this issue Dec 3, 2018 · 3 comments
Labels
worksforme The issue cannot be reproduced and things work as intended.

Comments

@Findus23
Copy link
Member

Findus23 commented Dec 3, 2018
edited

Steps to reproduce

You need one superuser and another user that has only view access.

  1. Try to access an API that needs superuser access with the token_auth of the read-only-user.
    https://matomo.example.com/index.php?module=API&method=UsersManager.getUsers&format=JSON&token_auth=READONLYTOKEN

As expected you get an error: You can't access this resource as it requires admin access for at least one website.

  1. Now open the same URL (with the same token_auth of the read-only-user) in a browser tab where you are logged in as a superuser. Now the URL shows the user data.

This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a token_auth is provided.
@tsteur tsteur added the Bug For errors / faults / flaws / inconsistencies etc. label Dec 3, 2018
@Findus23
Copy link
Member Author

Findus23 commented Dec 3, 2018

Update: Found a Matomo instance that was stil using 3.6.1 and it was working fine there.
#13554 was the only change that affects sessions, so I guess it has caused the bug.

@tsteur tsteur mentioned this issue Dec 20, 2018
Closed
@tsteur
Copy link
Member

tsteur commented Dec 23, 2018

@Findus23 I've tried to reproduce this in latest 3.x-dev and couldn't reproduce it. Not sure if it was indirectly fixed or maybe try to disable all third party plugins to see if it still happens?

@Findus23 Findus23 added worksforme The issue cannot be reproduced and things work as intended. and removed Bug For errors / faults / flaws / inconsistencies etc. labels Dec 25, 2018
@Findus23
Copy link
Member Author

@tsteur I can't reproduce it any more on the same Matomo instance on 3.8.0-b5, so either it was an odd cache error or got fixed in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
worksforme The issue cannot be reproduced and things work as intended.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsteur @Findus23