Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New config setting to prevent Super Users from seeing other users' token_auth #6346

Closed
mattab opened this issue Sep 30, 2014 · 3 comments
Closed

New config setting to prevent Super Users from seeing other users' token_auth #6346

mattab opened this issue Sep 30, 2014 · 3 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. worksforme The issue cannot be reproduced and things work as intended.
Milestone
Long term

Comments

@mattab
Copy link
Member

mattab commented Sep 30, 2014

The goal of this issue is to create a new config setting that when set to 1 it will prevent Super Users from seeing other users' token_auth.

Steps

  • Introduce new setting
  • when the setting is enabled, the admin page Manage users will only show the first few letters of the token_auth.
  • Add new FAQ to publicise the new useful setting

More secure
This will increase security in some Piwik setups where Super User access are widely shared. In this configuration, it is more secure to prevent Super Users from authenticating as other users and issuing API requests using another users' token_auth.
@mattab mattab added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Sep 30, 2014
@mattab mattab added this to the Short term milestone Sep 30, 2014
This was referenced Sep 30, 2014
Closed
Open
@gaumondp
Copy link

The more I see features about Super User being less and less "super", the more I think a new level of user would be better...

Super User = Almighty, access via SSH, updates, install plugins
Piwik supervisor = See all sites, can add users and other actions but with limitations from #6346 , #6348 , #6324
Users = as we know them

@mattab
Copy link
Member Author

mattab commented Sep 30, 2014

@gaumondp Thanks for suggestion but I don't think we need a new type of users, it would be less clear maybe. also adding a new role now is complicated. I would prefer to have good defaults and for the few users who want to configure differently make it easy for them (via config setting).

@mattab mattab modified the milestones: Mid term, Short term Oct 12, 2014
@gaumondp gaumondp mentioned this issue Nov 13, 2014
Open
@mattab
Copy link
Member Author

mattab commented Dec 5, 2016

Tokens now hidden for all super users in Piwik 3

@mattab mattab closed this as completed Dec 5, 2016
@mattab mattab added the worksforme The issue cannot be reproduced and things work as intended. label Dec 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. worksforme The issue cannot be reproduced and things work as intended.
Projects
None yet
Milestone
Long term
Development

No branches or pull requests
2 participants
@mattab @gaumondp