New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new INI config [General] enable_framed_allow_write_admin_token_auth… #16595
Conversation
…th to allow framed matomo use case to still function in Matomo 4.
config/global.ini.php
Outdated
; Set to 1 to allow using token_auths with write or admin access in iframes that embed Matomo. | ||
; Note that the token used will be in the URL in the iframe, and thus will be stored in webserver | ||
; logs and possibly other places. Using write or admin token_auths can be seen as a security risk, | ||
; thought it can be necessary in some use cases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it supposed to be though
instead of thought
? Be good to mention specifically like We do not recommend enabling this setting, for more information view the FAQ: ...
? with the link to the other FAQ
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
core/FrontController.php
Outdated
Request::reloadAuthUsingTokenAuth(); | ||
|
||
if (Access::getInstance()->hasSuperUserAccess()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could maybe move this into isTokenAuthLimitedToViewAccess
method and then rename the method isTokenAuthLimitedToViewAccess
? Just in case it will ever be reused in other places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will refactor to merge the logic.
@@ -460,13 +461,19 @@ private static function forceReloadAuthUsingTokenAuth($tokenAuth) | |||
*/ | |||
public static function isTokenAuthLimitedToViewAccess($module, $action) | |||
{ | |||
$allowWriteAmin = Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] == 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw be good to add 2 or 3 simple tests for this method
@tsteur added the tests, took a while to get them to pass due to a weird quirk of phpunit |
The test |
plugins/Widgetize/lang/en.json
Outdated
"TopLinkTooltip": "Export Matomo Reports as Widgets and embed the Dashboard in your app as an iframe." | ||
"ViewAccessRequired": "This user has at least some write access. Only tokens of users who have only view access can be used. See %1$s for more information.", | ||
"TopLinkTooltip": "Export Matomo Reports as Widgets and embed the Dashboard in your app as an iframe.", | ||
"TooHighAccessLevel": "This user has too much access for embedding widgets. Please use a user less access." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could say This user has super user access. For embedding widgets please use the token of a user that has view access only.
? could then also maybe link to https://matomo.org/faq/troubleshooting/faq_147/ if needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error could also occur if the allow admin/write token auth setting is set, so will change it toThis user has super user access. For embedding widgets super user token auths are not allowed. %1$sSee our faq for more information.%2$s
.
👍 feel free to merge once the tests pass @diosmosis |
… to allow framed matomo use case to still function in Matomo 4.
Fixes #16554
NOTE: faq is updated at https://matomo.org/faq/troubleshooting/#faq_147