On our server, we currently run Matomo version 4.11.0. Matomo updates are managed using Ansible. After every update,
./console core:create-security-files is run. This has worked fine so far.
Recently, we installed the
HeatmapSessionRecording plugin. For this plugin, the system check reported that
plugins/HeatmapSessionRecording/configs.php is inaccessible and a manual check in the browser indeed revealed a
403 status code. Access to this file was blocked by the
.htaccess file that was created by
./console core:create-security-files in the
plugins directory. Even after installing the
HeatmapSessionRecording plugin, activating it, and re-running
./console core:create-security-files, access to
plugins/HeatmapSessionRecording/configs.php was still blocked. Deleting
plugins/.htaccess allowed access in our case but is not an optimal solution.
It would be nice if
core:create-security-files would create an
.htaccess file in the
plugins directory that would allow access to files that are needed to be publically accessible by plugins.
Perhaps there could be some facility for Matomo plugins to report which files they need to be publically accessible and
core:create-security-files would generate the
.htaccess file in the
plugins directory accordingly.
@Hiradur, thanks for reporting this. The
HeatmapSessionRecording plugin folder should contain it's own
.htaccess file to allow access to
plugins/HeatmapSessionRecording/configs.php. It sounds like this isn't working.
Could you please confirm that the
plugins/HeatmapSessionRecording/.htaccess file is present on your server and post the contents? This will hopefully help us understand what is happening.
There is no
.htaccess file in
plugins/HeatmapSessionRecording/. I think this is due to the way how we installed the plugin: we downloaded
HeatmapSessionRecording-4.4.3.zip from https://plugins.matomo.org/download and extracted it to the
matomo/plugins directory via Ansible.
I can see that there is an
htaccessTemplate file in the
HeatmapSessionRecording/Install directory. This file did not get templated since we bypassed any installation facilities for plugins provided by matomo. As a result, we seem lack the
I'm wondering now if skipping the installation facilites provided by matomo for plugins like this could cause any other problems. We have chosen this approach to prevent potential problems with our SELinux configuration.
Hi @Hiradur, thanks for the update.
Each individual plugin has an install function that will perform various actions to setup the plugin, this will be different depending on the plugin, so skipping the install function might not cause any problems with one plugin, but cause issues with another.
To be sure that the plugin is properly set up the install function needs to be run.
If a plugin is activated when it isn't listed as installed in the
PluginsInstalled list then the install function will be run on activation. So a possible approach would be to download the zip file and extract the contents to the plugin folder manually, then add the
Plugins = "pluginname" setting, but not the
PluginsInstalled setting, then active the plugin using the Matomo UI (or
./console plugin:activate) which will then run the install function.
This might not help for .htaccess files if SELinux is preventing file creation, but would at least cover things like setting up initial values and database changes.
For the missing
.htaccess file you should be able to just copy
It seems like you've figured out the issue, so I'll close this ticket :slightly_smiling_face:
Thank you very much for the detailed answer. These plugins recently received an update and I'd like to know whether running a plugin's install function is necessary after plugin updates as well.
It's possible that a plugin update might need the install function run again if there was a major change to the database tables, but in most cases this wouldn't be needed. Deactivating and then activating the plugin again will make sure the install function is run.
If the updated plugin is working without any issues then it's probably not necessary to do this.
Alright, thank you very much!