New config setting to prevent Super Users from seeing other users' token_auth #6346
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
worksforme
The issue cannot be reproduced and things work as intended.
Milestone
The goal of this issue is to create a new config setting that when set to 1 it will prevent Super Users from seeing other users' token_auth.
Steps
Manage users
will only show the first few letters of the token_auth.More secure
This will increase security in some Piwik setups where Super User access are widely shared. In this configuration, it is more secure to prevent Super Users from authenticating as other users and issuing API requests using another users'
token_auth
.The text was updated successfully, but these errors were encountered: