@Starker3 opened this Issue on August 8th 2022 Contributor

There is currently no security alert sent when the anonymous user is enabled for a Matomo instance. It also doesn't require a password for verification.

This means that any user that can set access for user accounts for a site/measurable could enable it without properly reading the warning and allow public access to their reports.

It would be good from a security perspective to do the following:

  1. Send an email alert to all super users that the anonymous user has been given access to site(s)
  2. Require password verification (There is already a popup, but this can be clicked without needing a password)
  3. Potentially send an email notification once a week/month to super users as a scheduled task so that they are reminded that their reports are publicly accessible.
    This would be useful for people who already have the anonymous user active and wouldn't have got the security alert.
@sgiehl commented on August 12th 2022 Member

Would you mind defining what the expected behavior should be when selecting multiple users (including anonymous) in the list and giving all view access at once? Currently not even the additional access warning is shown in that case.

@tsteur commented on August 14th 2022 Member

FYI it's actually too easy to give an anonymous user view access by accident. Especially using the multi select. Maybe an anonymous user cannot be enabled in the UI along with other users in the future?

And/or maybe ideally the anonymous user wouldn't appear in the users list until specifically enabled to appear there. We could always show eg this menu item:

image

and have a setting to enable/disable the anonymous user setting feature (just a random example).

image

Just few ideas.

Powered by GitHub Issue Mirror