Matomo iframe widgets report “For embedding widgets super user token auths are not allowed” but auth token is read-only #17493
Labels
c: Usability
For issues that let users achieve a defined goal more effectively or efficiently.
duplicate
For issues that already existed in our issue tracker and were reported previously.
Expected Behavior
When providing a token in the URL for an embedded widget, I would expect the widget to use that token user for authorisation. The token I'm providing is for a read-only user.
Current Behavior
I have a superuser login and a cookie for that login. If I use the widget URL while logged in, it's using my cookie/session for authorisation, complaining that I can't use a super user for embedding widgets. It's not using the token I'm providing in the URL.
Possible Solution
If a token is provided in the URL this should always take priority over any session details the browser is sending.
Steps to Reproduce (for Bugs)
Context
While it's possible to log out of the dashboard, it's inconvenient to have to do that to test embedded widgets, and I can't control what our users may have done. For some we will allow them to have access to the dashboard as well as embedding widgets in our own CMS. We can't expect them to have to log out of the matomo dashboard in order to use our CMS.
Your Environment
The text was updated successfully, but these errors were encountered: