@notken
Expected Behavior
When providing a token in the URL for an embedded widget, I would expect the widget to use that token user for authorisation. The token I'm providing is for a read-only user.
Current Behavior
I have a superuser login and a cookie for that login. If I use the widget URL while logged in, it's using my cookie/session for authorisation, complaining that I can't use a super user for embedding widgets. It's not using the token I'm providing in the URL.
Possible Solution
If a token is provided in the URL this should always take priority over any session details the browser is sending.
Steps to Reproduce (for Bugs)
- Be logged in to the dashboard as a superuser.
- Create a readonly user and create a token.
- Add the token to the URL for an embedded widget. It will complain that you are using a super user token.
- Log out of the dashboard and use the URL again. This time it's fine.
Context
While it's possible to log out of the dashboard, it's inconvenient to have to do that to test embedded widgets, and I can't control what our users may have done. For some we will allow them to have access to the dashboard as well as embedding widgets in our own CMS. We can't expect them to have to log out of the matomo dashboard in order to use our CMS.
Your Environment
- Matomo Version: 4.2.1
- PHP Version: 7.4.1
- Server Operating System: Win Server 2016
- Additionally installed plugins: QueuedTracking
- Browser:
- Operating System:
@sgiehl
Hi @notken. Thanks for creating this report. That's indeed something we should improve. I guess any widgetized report should always only use the authentication for the given token_auth instead of any session.
@diosmosis
@sgiehl I think this is a duplicate of https://github.com/matomo-org/matomo/issues/17335
I agree. It does seem identical. Can anyone merge them, or should I just close this one?
I can close it. Regardless, thanks for taking the time to report the issue @notken!