Widget access always only works with view access not respecting new config setting #16869

tsteur · 2020-12-02T19:56:17Z

I think https://github.com/matomo-org/matomo/blob/4.0.3/plugins/Widgetize/Controller.php#L36-L39 is not respecting the enable_framed_allow_write_admin_token_auth setting @diosmosis ?

It should be maybe also using https://github.com/matomo-org/matomo/blob/4.0.3/core/API/Request.php#L461 when token_auth is not empty?

Technically, I think that code is not even needed in Widgetized controller as it's already done in Frontcontroller but it be generally maybe still good to simply call that existing method also (unless there's some reason not to call that method). Just to be sure it'll be executed in widgetized action no matter how it is executed.

I didn't actually test it. Only saw the code and it looks like this will be causing issues.

The text was updated successfully, but these errors were encountered:

tsteur added the Regression Indicates a feature used to work in a certain way but it no longer does even though it should. label Dec 2, 2020

tsteur added this to the 4.0.3 milestone Dec 2, 2020

diosmosis self-assigned this Dec 2, 2020

diosmosis mentioned this issue Dec 2, 2020

Use existing Request method w/ correct logic for limiting widgetize access. #16871

Merged

9 tasks

tsteur closed this as completed in #16871 Dec 3, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Widget access always only works with view access not respecting new config setting #16869

Widget access always only works with view access not respecting new config setting #16869

tsteur commented Dec 2, 2020 •

edited

Widget access always only works with view access not respecting new config setting #16869

Widget access always only works with view access not respecting new config setting #16869

Comments

tsteur commented Dec 2, 2020 • edited

tsteur commented Dec 2, 2020 •

edited