Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix blocked XHR requests when widgetizing dashboard #14657

Merged
merged 1 commit into from Jul 17, 2019
Merged

Fix blocked XHR requests when widgetizing dashboard #14657

merged 1 commit into from Jul 17, 2019

Conversation

katebutler
Copy link

Fixes #14446

@katebutler katebutler added this to the 3.11.0 milestone Jul 14, 2019
@katebutler katebutler added the Needs Review PRs that need a code review label Jul 14, 2019
sgiehl
sgiehl reviewed Jul 15, 2019
View reviewed changes
plugins/TwoFactorAuth/TwoFactorAuth.php
if ($auth && !$auth->getLogin() && method_exists($auth, 'getTokenAuth') && $auth->getTokenAuth()) {
// when authenticated by token only, we do not require 2fa
// needed eg for rendering exported widgets authenticated by token
return false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't that actually allow to bypass the 2fa everywhere when using the tokenauth?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should be fine though. You basically can't do 2FA for the token_auth and that's already the behaviour for the API as well. We just need to make sure the user is actually authenticated using the token and not through regular login/session.

Not sure but could also add another check in the if like Piwik::isUserHasAtLeastSomeViewAccess() but not sure if needed or if it makes sense.

@tsteur tsteur merged commit 6411472 into 3.x-dev Jul 17, 2019
@tsteur tsteur deleted the 14466 branch July 17, 2019 04:13
@mattab mattab added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Jul 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

@sgiehl sgiehl sgiehl left review comments

Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
3.11.0
Development

Successfully merging this pull request may close these issues.

2FA Prevents dashboard from being embedded
4 participants
@katebutler @tsteur @sgiehl @mattab