create-security-files should allow access to files that are needed by plugins to be publically accessible #19613

Summary

On our server, we currently run Matomo version 4.11.0. Matomo updates are managed using Ansible. After every update, ./console core:create-security-files is run. This has worked fine so far.
Recently, we installed the HeatmapSessionRecording plugin. For this plugin, the system check reported that plugins/HeatmapSessionRecording/configs.php is inaccessible and a manual check in the browser indeed revealed a 403 status code. Access to this file was blocked by the .htaccess file that was created by ./console core:create-security-files in the plugins directory. Even after installing the HeatmapSessionRecording plugin, activating it, and re-running ./console core:create-security-files, access to plugins/HeatmapSessionRecording/configs.php was still blocked. Deleting plugins/.htaccess allowed access in our case but is not an optimal solution.

It would be nice if core:create-security-files would create an .htaccess file in the plugins directory that would allow access to files that are needed to be publically accessible by plugins.
Perhaps there could be some facility for Matomo plugins to report which files they need to be publically accessible and core:create-security-files would generate the .htaccess file in the plugins directory accordingly.

Your Environment

• Matomo Version: 4.11.0
• PHP Version: 7.4.19
• Server Operating System: Red Hat Enterprise Linux 8.6
• Additionally installed plugins: FormAnalytics, HeatmapSessionRecording

@Hiradur, thanks for reporting this. The HeatmapSessionRecording plugin folder should contain it's own .htaccess file to allow access to plugins/HeatmapSessionRecording/configs.php. It sounds like this isn't working.

Could you please confirm that the plugins/HeatmapSessionRecording/.htaccess file is present on your server and post the contents? This will hopefully help us understand what is happening.

There is no .htaccess file in plugins/HeatmapSessionRecording/. I think this is due to the way how we installed the plugin: we downloaded HeatmapSessionRecording-4.4.3.zip from https://plugins.matomo.org/download and extracted it to the matomo/plugins directory via Ansible.
I can see that there is an htaccessTemplate file in the HeatmapSessionRecording/Install directory. This file did not get templated since we bypassed any installation facilities for plugins provided by matomo. As a result, we seem lack the .htaccess file.

I'm wondering now if skipping the installation facilites provided by matomo for plugins like this could cause any other problems. We have chosen this approach to prevent potential problems with our SELinux configuration.

Hi @Hiradur, thanks for the update.

Each individual plugin has an install function that will perform various actions to setup the plugin, this will be different depending on the plugin, so skipping the install function might not cause any problems with one plugin, but cause issues with another.

To be sure that the plugin is properly set up the install function needs to be run.

If a plugin is activated when it isn't listed as installed in the config.ini.php PluginsInstalled list then the install function will be run on activation. So a possible approach would be to download the zip file and extract the contents to the plugin folder manually, then add the config.ini.php Plugins[] = "pluginname" setting, but not the PluginsInstalled[] setting, then active the plugin using the Matomo UI (or ./console plugin:activate) which will then run the install function.

This might not help for .htaccess files if SELinux is preventing file creation, but would at least cover things like setting up initial values and database changes.

For the missing HeatmapSessionRecording .htaccess file you should be able to just copy plugins/HeatmapSessionRecording/Install/htaccessTemplate to plugins/HeatmapSessionRecording/.htaccess

It seems like you've figured out the issue, so I'll close this ticket :slightly_smiling_face:

Thank you very much for the detailed answer. These plugins recently received an update and I'd like to know whether running a plugin's install function is necessary after plugin updates as well.

Hi @Hiradur,

It's possible that a plugin update might need the install function run again if there was a major change to the database tables, but in most cases this wouldn't be needed. Deactivating and then activating the plugin again will make sure the install function is run.

If the updated plugin is working without any issues then it's probably not necessary to do this.

Alright, thank you very much!