@Findus23 opened this Issue on December 3rd 2018 Member

Steps to reproduce

You need one superuser and another user that has only view access.

  1. Try to access an API that needs superuser access with the token_auth of the read-only-user.
    https://matomo.example.com/index.php?module=API&method=UsersManager.getUsers&format=JSON&token_auth=READONLYTOKEN

As expected you get an error: You can't access this resource as it requires admin access for at least one website.

  1. Now open the same URL (with the same token_auth of the read-only-user) in a browser tab where you are logged in as a superuser. Now the URL shows the user data.

This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a token_auth is provided.

@Findus23 commented on December 3rd 2018 Member

Update: Found a Matomo instance that was stil using 3.6.1 and it was working fine there.
https://github.com/matomo-org/matomo/pull/13554 was the only change that affects sessions, so I guess it has caused the bug.

@tsteur commented on December 23rd 2018 Member

@Findus23 I've tried to reproduce this in latest 3.x-dev and couldn't reproduce it. Not sure if it was indirectly fixed or maybe try to disable all third party plugins to see if it still happens?

@Findus23 commented on December 25th 2018 Member

@tsteur I can't reproduce it any more on the same Matomo instance on 3.8.0-b5, so either it was an odd cache error or got fixed in the meantime.

This Issue was closed on December 25th 2018
Powered by GitHub Issue Mirror