When providing a token in the URL for an embedded widget, I would expect the widget to use that token user for authorisation. The token I'm providing is for a read-only user.
I have a superuser login and a cookie for that login. If I use the widget URL while logged in, it's using my cookie/session for authorisation, complaining that I can't use a super user for embedding widgets. It's not using the token I'm providing in the URL.
If a token is provided in the URL this should always take priority over any session details the browser is sending.
While it's possible to log out of the dashboard, it's inconvenient to have to do that to test embedded widgets, and I can't control what our users may have done. For some we will allow them to have access to the dashboard as well as embedding widgets in our own CMS. We can't expect them to have to log out of the matomo dashboard in order to use our CMS.
Hi @notken. Thanks for creating this report. That's indeed something we should improve. I guess any widgetized report should always only use the authentication for the given token_auth instead of any session.
I agree. It does seem identical. Can anyone merge them, or should I just close this one?
I can close it. Regardless, thanks for taking the time to report the issue @notken!