@notken opened this Issue on April 23rd 2021

Expected Behavior

When providing a token in the URL for an embedded widget, I would expect the widget to use that token user for authorisation. The token I'm providing is for a read-only user.

Current Behavior

I have a superuser login and a cookie for that login. If I use the widget URL while logged in, it's using my cookie/session for authorisation, complaining that I can't use a super user for embedding widgets. It's not using the token I'm providing in the URL.

Possible Solution

If a token is provided in the URL this should always take priority over any session details the browser is sending.

Steps to Reproduce (for Bugs)

  1. Be logged in to the dashboard as a superuser.
  2. Create a readonly user and create a token.
  3. Add the token to the URL for an embedded widget. It will complain that you are using a super user token.
  4. Log out of the dashboard and use the URL again. This time it's fine.


While it's possible to log out of the dashboard, it's inconvenient to have to do that to test embedded widgets, and I can't control what our users may have done. For some we will allow them to have access to the dashboard as well as embedding widgets in our own CMS. We can't expect them to have to log out of the matomo dashboard in order to use our CMS.

Your Environment

  • Matomo Version: 4.2.1
  • PHP Version: 7.4.1
  • Server Operating System: Win Server 2016
  • Additionally installed plugins: QueuedTracking
  • Browser:
  • Operating System:
@sgiehl commented on April 23rd 2021 Member

Hi @notken. Thanks for creating this report. That's indeed something we should improve. I guess any widgetized report should always only use the authentication for the given token_auth instead of any session.

@diosmosis commented on April 23rd 2021 Member
@notken commented on April 23rd 2021

I agree. It does seem identical. Can anyone merge them, or should I just close this one?

@diosmosis commented on April 23rd 2021 Member

I can close it. Regardless, thanks for taking the time to report the issue @notken!

This Issue was closed on April 23rd 2021
Powered by GitHub Issue Mirror