Add new INI config [General] enable_framed_allow_write_admin_token_auth… #16595
Conversation
…th to allow framed matomo use case to still function in Matomo 4.
diosmosis
added
not-in-changelog
config/global.ini.php
Outdated
| ; Set to 1 to allow using token_auths with write or admin access in iframes that embed Matomo. | ||
| ; Note that the token used will be in the URL in the iframe, and thus will be stored in webserver | ||
| ; logs and possibly other places. Using write or admin token_auths can be seen as a security risk, | ||
| ; thought it can be necessary in some use cases. |
There was a problem hiding this comment.
is it supposed to be though instead of thought? Be good to mention specifically like We do not recommend enabling this setting, for more information view the FAQ: ...? with the link to the other FAQ
core/FrontController.php
Outdated
| Request::reloadAuthUsingTokenAuth(); | ||
|
|
||
| if (Access::getInstance()->hasSuperUserAccess()) { |
There was a problem hiding this comment.
could maybe move this into isTokenAuthLimitedToViewAccess method and then rename the method isTokenAuthLimitedToViewAccess ? Just in case it will ever be reused in other places.
There was a problem hiding this comment.
Will refactor to merge the logic.
| @@ -460,13 +461,19 @@ private static function forceReloadAuthUsingTokenAuth($tokenAuth) | |||
| */ | |||
| public static function isTokenAuthLimitedToViewAccess($module, $action) | |||
| { | |||
| $allowWriteAmin = Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] == 1; | |||
There was a problem hiding this comment.
btw be good to add 2 or 3 simple tests for this method
|
@tsteur added the tests, took a while to get them to pass due to a weird quirk of phpunit |
|
The test |
plugins/Widgetize/lang/en.json
Outdated
| "TopLinkTooltip": "Export Matomo Reports as Widgets and embed the Dashboard in your app as an iframe." | ||
| "ViewAccessRequired": "This user has at least some write access. Only tokens of users who have only view access can be used. See %1$s for more information.", | ||
| "TopLinkTooltip": "Export Matomo Reports as Widgets and embed the Dashboard in your app as an iframe.", | ||
| "TooHighAccessLevel": "This user has too much access for embedding widgets. Please use a user less access." |
There was a problem hiding this comment.
Maybe we could say This user has super user access. For embedding widgets please use the token of a user that has view access only.? could then also maybe link to https://matomo.org/faq/troubleshooting/faq_147/ if needed?
There was a problem hiding this comment.
This error could also occur if the allow admin/write token auth setting is set, so will change it toThis user has super user access. For embedding widgets super user token auths are not allowed. %1$sSee our faq for more information.%2$s.
|
👍 feel free to merge once the tests pass @diosmosis |
… to allow framed matomo use case to still function in Matomo 4.
Fixes #16554
NOTE: faq is updated at https://matomo.org/faq/troubleshooting/#faq_147