New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Anonymous user access doesn't send any security alerts or require password verification #19607
Comments
Would you mind defining what the expected behavior should be when selecting multiple users (including anonymous) in the list and giving all |
Just confirm the changes for this issue. @mattab @tsteur
Question:
|
@mattab can you please offer your thoughts on @peterhashair's approach and questions here? |
Additionally:
The proposed new screen (inspired by https://user-images.githubusercontent.com/273120/184553332-1de9f682-9e77-4f1a-93d6-3863d84aa9dc.png) & email message microcopy will be provided by @Javi-Ormaechea shortly |
@mattab any update on this? |
Hi @Javi-Ormaechea |
There is currently no security alert sent when the anonymous user is enabled for a Matomo instance. It also doesn't require a password for verification.
This means that any user that can set access for user accounts for a site/measurable could enable it without properly reading the warning and allow public access to their reports.
It would be good from a security perspective to do the following:
This would be useful for people who already have the anonymous user active and wouldn't have got the security alert.
The text was updated successfully, but these errors were encountered: