Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't delete users in "Manage Users" dashboard as superuser #20087

Closed
drakanor opened this issue Dec 8, 2022 · 3 comments
Closed

Can't delete users in "Manage Users" dashboard as superuser #20087

drakanor opened this issue Dec 8, 2022 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.

Comments

@drakanor
Copy link

drakanor commented Dec 8, 2022

(I have been discussing this with the Matomo support team already, and they asked me to create a bug report here.)

When logged in as superuser, I can't delete users in the "Manage users" dashboard by clicking the trash can button at the right side of the user entry.

When clicking the button, a confirmation dialog appears, which asks me for a password:
"Please enter your password to confirm this change."

After entering my superuser password, I get the following error message:
"The current password you entered is not correct."

In case the users password is required: I don't have that (the user set it himself). And of course I shouldn't need it as superuser.

Expected Behavior

When clicking the button, I'd expect a simple confirmation dialog (Yes/No). There is no need to enter any password here when logged in as superuser.

Current Behavior

When clicking the button, a confirmation dialog appears, which asks me for a password:
"Please enter your password to confirm this change."
After entering my superuser password, I get the following error message:
"The current password you entered is not correct."

Steps to Reproduce (for Bugs)

  1. Log in as superuser
  2. Go to "Manage Users" dashboard (/index.php?module=UsersManager)
  3. Click on the "Delete" Action (trash can) on the right side of the user entry I'd like to delete

matomo1

  1. A confirmation dialog appears requesting a password: entering the superuser password of the superuser account I'm logged in with

matomo2

  1. An error message is displayed about my password isn't correct

matomo3

Your Environment

  • Matomo Version: 4.13.0
  • PHP Version: 8.1.13
  • Server Operating System: Linux deb10.16-amd64
  • Additionally installed plugins:
    CustomVariables 4.1.1
    Provider 4.0.5
  • Browser: Firefox 107.0.1, Chrome 108.0.5359.98
  • Operating System: Windows 10
@drakanor drakanor added Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. To Triage An issue awaiting triage by a Matomo core team member labels Dec 8, 2022
@sgiehl
Copy link
Member

sgiehl commented Dec 8, 2022

@drakanor Does your password by an chance contain a &. It's currently known that Matomo has a problem with that character in passwords and this will get fixed with #20048

@drakanor
Copy link
Author

drakanor commented Dec 8, 2022

@sgiehl Yes, it does indeed. Thanks for pointing that out.
I still find it strange tho, that I have to provide my superuser password when managing my users.

@drakanor drakanor closed this as not planned Won't fix, can't repro, duplicate, stale Dec 8, 2022
@sgiehl
Copy link
Member

sgiehl commented Dec 9, 2022

@drakanor That has been implemented for security reasons. So if anybody would be able to take over your session, they won't be able to create or remove any user without knowing the password.
We might possibly improve this behaviour in the future. There had been discussions about changing that, so it's only required every X minutes to provide the password or something similar. But there are no final plans yet, so can't promise anything if or when that might get implemented.

@bx80 bx80 removed the To Triage An issue awaiting triage by a Matomo core team member label Dec 11, 2022
@justinvelluppillai justinvelluppillai added the answered For when a question was asked and we referred to forum or answered it. label Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@justinvelluppillai @sgiehl @drakanor @bx80