@tsteur opened this Pull Request on August 4th 2020 Member

Not really needed this change I guess but might be better to allow authentication using tokens only for users when the used token has only view access. This may be helpful if otherwise a user tries to embed some screens using token_auth.

Should there be any regressions that we can't fix we could undo it again.

@diosmosis commented on August 5th 2020 Member

build is failing, looks like this has some other side effects

@tsteur commented on August 8th 2020 Member

@diosmosis tests should pass now

@attritionorg commented on October 1st 2020

@tsteur Can you summarize what security impact this has, or what privileges can be gained by exploiting this?

@tsteur commented on October 1st 2020 Member

@attritionorg I assume you refer to when someone uses the token of a write, admin or super user? If the widgetized URL is shared with other users and that URL includes the token, then people who that token is shared with would gain the same privileges over the API. As a best practice we're now enforcing to use only tokens for view users. So if someone was to embed the widget into an internal wiki or so for all employees then they only have "view" access. Not sure if this roughly answers the question?

@attritionorg commented on October 1st 2020

I think it does, thank you @tsteur. The initial language in this PR made it sound like this could be an exploitable security issue so was looking for clarity.

@mattab commented on November 4th 2020 Member

fyi added mention in the guide: https://matomo.org/docs/embed-matomo-reports/

Note: for security reasons, embedding the reports will only work when you use a token of the "View" permission (if you use a "Write" or "Admin" permission token an error message will be displayed instead.)

This Pull Request was closed on August 10th 2020
Powered by GitHub Issue Mirror