You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You need one superuser and another user that has only view access.
Try to access an API that needs superuser access with the token_auth of the read-only-user. https://matomo.example.com/index.php?module=API&method=UsersManager.getUsers&format=JSON&token_auth=READONLYTOKEN
As expected you get an error: You can't access this resource as it requires admin access for at least one website.
Now open the same URL (with the same token_auth of the read-only-user) in a browser tab where you are logged in as a superuser. Now the URL shows the user data.
This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a token_auth is provided.
The text was updated successfully, but these errors were encountered:
tsteur
added
the
Bug
For errors / faults / flaws / inconsistencies etc.
label
Dec 3, 2018
Update: Found a Matomo instance that was stil using 3.6.1 and it was working fine there. #13554 was the only change that affects sessions, so I guess it has caused the bug.
@Findus23 I've tried to reproduce this in latest 3.x-dev and couldn't reproduce it. Not sure if it was indirectly fixed or maybe try to disable all third party plugins to see if it still happens?
Findus23
added
worksforme
The issue cannot be reproduced and things work as intended.
and removed
Bug
For errors / faults / flaws / inconsistencies etc.
labels
Dec 25, 2018
Steps to reproduce
You need one superuser and another user that has only view access.
https://matomo.example.com/index.php?module=API&method=UsersManager.getUsers&format=JSON&token_auth=READONLYTOKEN
As expected you get an error:
You can't access this resource as it requires admin access for at least one website.
This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a
token_auth
is provided.The text was updated successfully, but these errors were encountered: