You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As your documentation says I have created a view-only user with a token and when using that token to show a widget I'm getting an error saying "This user has superuser access". It works if I load the same url while logged out or in another browser. Seems odd if it shouldn't work since this should be a fairly common case.
It should be possible to show the widget even if you are currently logged in as a super user in the same browser.
Current Behavior
Error message saying
"This user has super user access. For embedding widgets super user token auths are not allowed. See our faq for more information."
Possible Solution
I have tried to follow the code and it seems that when using the token_auth parameter there is a call to the method Request::reloadAuthUsingTokenAuth eventually landing in Access::reloadAccess, however it return without reloading since $this->hasSuperUserAccess is still true from the session auth.
Steps to Reproduce (for Bugs)
Create user with view permissions and generate a token
Create a widgetized url and add the token to the url
Load the url in a browser where you are logged in as a super user
Context
We are trying to embed widgets in an external dashboard.
Your Environment
I'm running your latest docker image.
Matomo Version: 4.2.1
The text was updated successfully, but these errors were encountered:
Hi @carlgrundberg, thanks for creating this issue. Very appreciated.
I've just tried it and I was able to reproduce this.
It is definitely a bug. Sorry about it, we’ll do our best so we can hopefully get things sorted soon.
flamisz
added
Bug
For errors / faults / flaws / inconsistencies etc.
and removed
Potential Bug
Something that might be a bug, but needs validation and confirmation it can be reproduced.
labels
Mar 11, 2021
Thanks for confirming. I guess it would make more sense to check if a token-param exists before setting up the session auth, to avoid authenticating twice. But maybe it's hard to change in the current execution flow.
As your documentation says I have created a view-only user with a token and when using that token to show a widget I'm getting an error saying "This user has superuser access". It works if I load the same url while logged out or in another browser. Seems odd if it shouldn't work since this should be a fairly common case.
Example url: http://localhost:8000/index.php?module=Widgetize&action=iframe&forceView=1&disableLink=1&token_auth=xxx&moduleToWidgetize=VisitsSummary&actionToWidgetize=getEvolutionGraph&viewDataTable=graphEvolution&idSite=1&date=2021-02-09,2021-03-10&period=range
Expected Behavior
It should be possible to show the widget even if you are currently logged in as a super user in the same browser.
Current Behavior
Error message saying
"This user has super user access. For embedding widgets super user token auths are not allowed. See our faq for more information."
Possible Solution
I have tried to follow the code and it seems that when using the token_auth parameter there is a call to the method
Request::reloadAuthUsingTokenAuth
eventually landing inAccess::reloadAccess
, however it return without reloading since$this->hasSuperUserAccess
is still true from the session auth.Steps to Reproduce (for Bugs)
Context
We are trying to embed widgets in an external dashboard.
Your Environment
I'm running your latest docker image.
The text was updated successfully, but these errors were encountered: