Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

token_auth authentication bypass #837

Closed
anonymous-matomo-user opened this issue Jun 28, 2009 · 3 comments
Closed

token_auth authentication bypass #837

anonymous-matomo-user opened this issue Jun 28, 2009 · 3 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Milestone

Comments

@anonymous-matomo-user
Copy link

If I call the flash applets with token_auth=anonymous they are shown nevertheless anonymous do not have view permissions.

If I do the same with JSON api call access is blocked.

Repro:

  1. Log into Piwik website (now you are authenticated with your "adminstrator")
  2. Request JSON data with token_auth=anonymous
  3. You receive access denied to site 1
  4. Request flash widget with token_auth=anonymous
  5. Widget is shown, but shouldn't.

Additional to this it would be great if the Flash applet wouldn't return only the below if access has been denied. It's not very easy for users to understand what happened here.

Open Flash Chart

JSON Parse Error [Syntax Error]
Error at character 0, line 1:

0: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1

@robocoder
Copy link
Contributor

Sorry, I should have been more clear in #790. token_auth is used for API calls; token_auth is not used for authentication in iframes or flash widgets.

In your test case, the API request for JSON formatted data failed as expected. The reason the flash widget succeeded is because you were logged in and Piwik used the authenticated login session. While the Flash widget does use JSON formatted data, the data stream contains additional information required by Open Flash Chart, and as such, it is not the same data as an API request for JSON data.

Please keep an eye out for #283 (or #804).

@anonymous-matomo-user
Copy link
Author

I need to be able to authenticate the flash data request with token_auth. Drupal user do not need to log into piwik website. They see all standard statistics in the reports section. I do not need to authenticate the swf file themself... only the data that is used to build the flash chart.

@anonymous-matomo-user
Copy link
Author

Here is an example URL that doesn't allow me to get the flash data:

/piwik/index.php?module=UserSettings&action=getOS&idSite=1&period=month&date=2009-06-29&filter_limit=10&filter_sort_column=nb_uniq_visitors&filter_sort_order=desc&viewDataTable=generateDataChartPie&token_auth={my token_auth}

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Development

No branches or pull requests

3 participants