On our server, we currently run Matomo version 4.11.0. Matomo updates are managed using Ansible. After every update, ./console core:create-security-files
is run. This has worked fine so far.
Recently, we installed the HeatmapSessionRecording
plugin. For this plugin, the system check reported that plugins/HeatmapSessionRecording/configs.php
is inaccessible and a manual check in the browser indeed revealed a 403
status code. Access to this file was blocked by the .htaccess
file that was created by ./console core:create-security-files
in the plugins
directory. Even after installing the HeatmapSessionRecording
plugin, activating it, and re-running ./console core:create-security-files
, access to plugins/HeatmapSessionRecording/configs.php
was still blocked. Deleting plugins/.htaccess
allowed access in our case but is not an optimal solution.
It would be nice if core:create-security-files
would create an .htaccess
file in the plugins
directory that would allow access to files that are needed to be publically accessible by plugins.
Perhaps there could be some facility for Matomo plugins to report which files they need to be publically accessible and core:create-security-files
would generate the .htaccess
file in the plugins
directory accordingly.
@Hiradur, thanks for reporting this. The HeatmapSessionRecording
plugin folder should contain it's own .htaccess
file to allow access to plugins/HeatmapSessionRecording/configs.php
. It sounds like this isn't working.
Could you please confirm that the plugins/HeatmapSessionRecording/.htaccess
file is present on your server and post the contents? This will hopefully help us understand what is happening.
There is no .htaccess
file in plugins/HeatmapSessionRecording/
. I think this is due to the way how we installed the plugin: we downloaded HeatmapSessionRecording-4.4.3.zip
from https://plugins.matomo.org/download and extracted it to the matomo/plugins
directory via Ansible.
I can see that there is an htaccessTemplate
file in the HeatmapSessionRecording/Install
directory. This file did not get templated since we bypassed any installation facilities for plugins provided by matomo. As a result, we seem lack the .htaccess
file.
I'm wondering now if skipping the installation facilites provided by matomo for plugins like this could cause any other problems. We have chosen this approach to prevent potential problems with our SELinux configuration.
Hi @Hiradur, thanks for the update.
Each individual plugin has an install function that will perform various actions to setup the plugin, this will be different depending on the plugin, so skipping the install function might not cause any problems with one plugin, but cause issues with another.
To be sure that the plugin is properly set up the install function needs to be run.
If a plugin is activated when it isn't listed as installed in the config.ini.php
PluginsInstalled
list then the install function will be run on activation. So a possible approach would be to download the zip file and extract the contents to the plugin folder manually, then add the config.ini.php
Plugins[] = "pluginname"
setting, but not the PluginsInstalled[]
setting, then active the plugin using the Matomo UI (or ./console plugin:activate
) which will then run the install function.
This might not help for .htaccess files if SELinux is preventing file creation, but would at least cover things like setting up initial values and database changes.
For the missing HeatmapSessionRecording
.htaccess
file you should be able to just copy plugins/HeatmapSessionRecording/Install/htaccessTemplate
to plugins/HeatmapSessionRecording/.htaccess
It seems like you've figured out the issue, so I'll close this ticket :slightly_smiling_face:
Thank you very much for the detailed answer. These plugins recently received an update and I'd like to know whether running a plugin's install function is necessary after plugin updates as well.
Hi @Hiradur,
It's possible that a plugin update might need the install function run again if there was a major change to the database tables, but in most cases this wouldn't be needed. Deactivating and then activating the plugin again will make sure the install function is run.
If the updated plugin is working without any issues then it's probably not necessary to do this.