Matomo iframe widgets report “For embedding widgets super user token auths are not allowed” but auth token is read-only #17493
Labels
c: Usability
For issues that let users achieve a defined goal more effectively or efficiently.
duplicate
For issues that already existed in our issue tracker and were reported previously.
Comments
notken
added
the
Potential Bug
|
Hi @notken. Thanks for creating this report. That's indeed something we should improve. I guess any widgetized report should always only use the authentication for the given token_auth instead of any session. |
sgiehl
added
c: Usability
|
I agree. It does seem identical. Can anyone merge them, or should I just close this one? |
|
I can close it. Regardless, thanks for taking the time to report the issue @notken! |
diosmosis
added
the
duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
When providing a token in the URL for an embedded widget, I would expect the widget to use that token user for authorisation. The token I'm providing is for a read-only user.
Current Behavior
I have a superuser login and a cookie for that login. If I use the widget URL while logged in, it's using my cookie/session for authorisation, complaining that I can't use a super user for embedding widgets. It's not using the token I'm providing in the URL.
Possible Solution
If a token is provided in the URL this should always take priority over any session details the browser is sending.
Steps to Reproduce (for Bugs)
Context
While it's possible to log out of the dashboard, it's inconvenient to have to do that to test embedded widgets, and I can't control what our users may have done. For some we will allow them to have access to the dashboard as well as embedding widgets in our own CMS. We can't expect them to have to log out of the matomo dashboard in order to use our CMS.
Your Environment
The text was updated successfully, but these errors were encountered: