@iherwig opened this Issue on December 18th 2018

I installed Matomo 3.7.0 following the installation guide (set up super user and first website). When i use the super user account to log in to the dashboard, the dashboard is empty and i get the following error message:

You can't access this resource as it requires 'view' access for the website id = 1.

On top of the Settings > Personal > Settings page i get the error message:

You must be logged in to access this functionality.

On the Settings > Websites > Manage page i get the error message:

You can't access this resource as it requires view access for at least one website.

and the text:

Your Web Analytics reports need Websites! Add, update, delete Websites, and show the JavaScript to insert in your pages. You currently have access to ? websites.
A user with Super User access can also specify global settings for new websites.

The application is running on Apache/2.4.35, PHP 7.2. Browser is Firefox 64.0 (64-Bit) or Chome 71.0.3578.98 (64-Bit).

There seems to be something wrong with the user permissions. Can you help me please?

@fdellwing commented on December 18th 2018 Contributor

Did you check for any JavaScript or PHP errors?

@iherwig commented on December 18th 2018

Thanks for your reply.

In the JavaScript console i get:

Possibly unhandled rejection: You can't access this resource as it requires 'view' access for the website id = 1. index.php:245:467
e/< [...]/analytics/index.php:245:467
Cf/this.$get</< [...]/analytics/index.php:217:340
g [...]/analytics/index.php:257:360
$digest [...]/analytics/index.php:269:70
$apply [...]/analytics/index.php:272:279
l [...]/analytics/index.php:224:393
zg/</s.onload [...]/analytics/index.php:230:297

I can't check the PHP logfiles because the site is installed on a shared hosting enviroment.

Are there any special requirements for PHP? Can i check the database, if everything is set up correctly?

@fdellwing commented on December 18th 2018 Contributor

The installer should check the PHP env while installing. Can you check if your shared hosting is using mod_sec2? Matomo does not work with most configs of mod_sec2. You could ask your hoster to send you the logs?

@Findus23 commented on December 18th 2018 Member
@iherwig commented on December 18th 2018

Yes, these posts seem to describe the same problem. My System Check also reports everything ok except for the warnig Geolocation works, but you are not using one of the recommended providers.

@tsteur commented on December 18th 2018 Member

There were couple PRs that improve session handling. Eg https://github.com/matomo-org/matomo/pull/13865 and https://github.com/matomo-org/matomo/pull/13869 I presume the next beta might fix the issues one those PRs are merged.

@iherwig commented on December 19th 2018

@fdellwing Seems like mod_security2 is active and i will not get the logs from the hoster. Is there a workaround, if mod_security2 is causing these problems?
@tsteur Do you know when the next beta will be released? I would like to test, if it resolves the problems.

@tsteur commented on December 19th 2018 Member

I would say there will be one more beta before Christmas holidays.

@fdellwing commented on December 20th 2018 Contributor

@iherwig I doubt your hoster compiled mod_sec2 with the --enable-htaccess-config flag, so if he does not want to help you, you might be in bad luck. Matomo does no work well with mod_sec2, even if you get the backend to run, random (or all) tracking calls might get blocked by it.

refs: https://github.com/matomo-org/matomo/issues/3371

@iherwig commented on December 20th 2018

I was looking deeper into this.

The dashboard makes a POST request to [...]index.php?date=yesterday&filter_limit=-1&format=JSON2&idSite=1&method=API.getReportPagesMetadata&module=API&period=day which sends the token_auth parameter and returns an empty response and status code 302 (location [...]?date=yesterday&filter_limit=-1&format=JSON2&idSite=1&method=API.getReportPagesMetadata&module=API&period=day).

The following GET request to the returned location returns the error response {"result":"error","message":"You can't access this resource as it requires 'view' access for the website id = 1."} (i guess because the token_auth is missing).

All requests send the valid session id in the cookie header and on the server some requests also seem to be authorized.

In the server log i see:

[...]/core/Access.php(537): You can't access this resource as it requires 'view' access for the website id = 1.
[...]/core/Piwik.php(511): Piwik\Access->checkUserHasViewAccess(Array)
[...]/plugins/API/API.php(351): Piwik\Piwik::checkUserHasViewAccess('1')

[...]/core/API/Proxy.php(232): call_user_func_array(Array, Array)
[...]/core/Context.php(28): Piwik\API\Proxy->Piwik\API{closure}()
[...]/core/API/Proxy.php(323): Piwik\Context::executeWithQueryParameters(Array, Object(Closure))
[...]/core/API/Request.php(263): Piwik\API\Proxy->call('\Piwik\Plugins\...', 'getReportPagesM...', Array)
[...]/plugins/API/Controller.php(41): Piwik\API\Request->process()

[...]/core/FrontController.php(556): call_user_func_array(Array, Array)
[...]/core/FrontController.php(144): Piwik\FrontController->doDispatch('API', false, Array)
[...]/core/dispatch.php(34): Piwik\FrontController->dispatch()
[...]/index.php(27): require_once('[...]...')
{main}

There is another POST request before that to [...]?module=API&method=API.getWidgetMetadata&filter_limit=-1&format=JSON&deep=1&idSite=1, that returns status code 200 and data. I wonder why the second POST request returns a redirect instead of data.

@tsteur commented on December 20th 2018 Member

Funny... we had maybe a similar issue here: https://github.com/matomo-org/matomo/issues/13883 and proposed a fix in https://github.com/matomo-org/matomo/pull/13892 but I couldn't actually reproduce the issue. Not sure if related. It also somehow reminds me of https://github.com/matomo-org/matomo/issues/13795 Can you always reproduce this issue? What are the exact steps and what kind of access does your user have? View, Write, Admin or Super user? Do you know?

@iherwig commented on December 21st 2018

Yes it happens reproducible every time after login when the dashboard is loaded. The user is super user.
Some other POST requests that return a 302 redirect with empty response:

  • [...]/index.php?date=yesterday&format=JSON2&idSite=1&method=CorePluginsAdmin.getUserSettings&module=API&period=day (Settings > Personal > Settings page, error message: You must be logged in to access this functionality.)
  • [...]/index.php?date=yesterday&format=JSON2&idSite=1&method=CorePluginsAdmin.getSystemSettings&module=API&period=day (Settings > Websites > Manage page, error message: You can't access this resource as it requires view access for at least one website.)

I will try to understand what is happening on the server side at the beginning of the new year.

@tsteur commented on December 23rd 2018 Member

Thanks it would be great if you could try to understand what is happening. I've been trying to reproduce this for a while but can't. Ideally, also make sure all plugins are up to date just in case.

Powered by GitHub Issue Mirror