@drakanor opened this Issue on December 8th 2022

(I have been discussing this with the Matomo support team already, and they asked me to create a bug report here.)

When logged in as superuser, I can't delete users in the "Manage users" dashboard by clicking the trash can button at the right side of the user entry.

When clicking the button, a confirmation dialog appears, which asks me for a password:
"Please enter your password to confirm this change."

After entering my superuser password, I get the following error message:
"The current password you entered is not correct."

In case the users password is required: I don't have that (the user set it himself). And of course I shouldn't need it as superuser.

Expected Behavior

When clicking the button, I'd expect a simple confirmation dialog (Yes/No). There is no need to enter any password here when logged in as superuser.

Current Behavior

When clicking the button, a confirmation dialog appears, which asks me for a password:
"Please enter your password to confirm this change."
After entering my superuser password, I get the following error message:
"The current password you entered is not correct."

Steps to Reproduce (for Bugs)

  1. Log in as superuser
  2. Go to "Manage Users" dashboard (/index.php?module=UsersManager)
  3. Click on the "Delete" Action (trash can) on the right side of the user entry I'd like to delete

matomo1

  1. A confirmation dialog appears requesting a password: entering the superuser password of the superuser account I'm logged in with

matomo2

  1. An error message is displayed about my password isn't correct

matomo3

Your Environment

  • Matomo Version: 4.13.0
  • PHP Version: 8.1.13
  • Server Operating System: Linux deb10.16-amd64
  • Additionally installed plugins:
    CustomVariables 4.1.1
    Provider 4.0.5
  • Browser: Firefox 107.0.1, Chrome 108.0.5359.98
  • Operating System: Windows 10
@sgiehl commented on December 8th 2022 Member

@drakanor Does your password by an chance contain a &. It's currently known that Matomo has a problem with that character in passwords and this will get fixed with #20048

@drakanor commented on December 8th 2022

@sgiehl Yes, it does indeed. Thanks for pointing that out.
I still find it strange tho, that I have to provide my superuser password when managing my users.

@sgiehl commented on December 9th 2022 Member

@drakanor That has been implemented for security reasons. So if anybody would be able to take over your session, they won't be able to create or remove any user without knowing the password.
We might possibly improve this behaviour in the future. There had been discussions about changing that, so it's only required every X minutes to provide the password or something similar. But there are no final plans yet, so can't promise anything if or when that might get implemented.

This Issue was closed on December 8th 2022
Powered by GitHub Issue Mirror