Not really needed this change I guess but might be better to allow authentication using tokens only for users when the used token has only view access. This may be helpful if otherwise a user tries to embed some screens using token_auth.
Should there be any regressions that we can't fix we could undo it again.
build is failing, looks like this has some other side effects
@diosmosis tests should pass now
@tsteur Can you summarize what security impact this has, or what privileges can be gained by exploiting this?
@attritionorg I assume you refer to when someone uses the token of a write, admin or super user? If the widgetized URL is shared with other users and that URL includes the token, then people who that token is shared with would gain the same privileges over the API. As a best practice we're now enforcing to use only tokens for view users. So if someone was to embed the widget into an internal wiki or so for all employees then they only have "view" access. Not sure if this roughly answers the question?
I think it does, thank you @tsteur. The initial language in this PR made it sound like this could be an exploitable security issue so was looking for clarity.
fyi added mention in the guide: https://matomo.org/docs/embed-matomo-reports/
Note: for security reasons, embedding the reports will only work when you use a token of the "View" permission (if you use a "Write" or "Admin" permission token an error message will be displayed instead.)