Anon Access


(J Stern) #1

So I have Piwik installed and working perfectly at the moment. My only concern is having to keep anon access if I want to let all my clients access their stats through my control panel.

When i read the documentation, i thought i understood it to say that I could turn off anonymous access and the following would allow me to access their stats:

ht tp://ww w.domai n.co m/piwik/index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&idSite=1&period=day&date=yesterday&token_auth=ee9b283772be8fd9ba6138ea1f336b

(Background: Logged in a a superuser changed anonymous to noaccess and created 2 new accounts. admin with admin rights. and clients with view access. I then pass through the siteid depending on which client is logged in. The token is passed as either admin (if admin) or the partners token (if !admin).

When i try to use this method, it still brings up the login screen. I’d rather not setup an account for every client (unless I absolutely have to, but then why use siteid?) nor do I like making them log into control panel, and then into their stats page.

Is there an easier way I haven’t seen yet? My last thought before posting was to create the cookie with the right info when they log into my control panel.


(Matthieu Aubry) #2

This is a known bug: http://dev.piwik.org/trac/ticket/1353

in the meantime, you can also use the logme technique: http://piwik.org/faq/how-to/#faq_30


(J Stern) #3

I didn’t see that Bug. Everything i could find pointed to this being fixed. I will use the mentioned login method until this gets resolved. Thanks Matt.


(J Stern) #4

I might some some additional insight to this problem. I am now trying to use the ‘logme’ action, but im running into a problem with the login controller.

according to the FAQ example, shouldn’t this work:

ht tp://domain .c om/piwik/index.php?module=Login&action=logme&login=jstern&password=5f4dcc3b5aa765d61d8327deb882cf99&url=h ttp://w ww.domain.c om/piwik/index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&idSite=1&period=day&date=yesterday

jstern account have view all websites access. so logged in should redirect to this dashboard for any given idSite

Error: Action iframe not found in the controller Piwik_Login_Controller.

I am trying to think of a way to render the login page behind the scenes then load this other page up in iframes.


(Matthieu Aubry) #5

Did you URL encode your url=xxxx ?


(krose) #6

I have the same problem. Have tried embedding iframe dashboard in page with auto-login, with encoded redir. url. However all widgets in dashboard show “No data for this graph.” or “No data for this table”. The widgets do display correctly in the real dashboard mode when I login through the login page.

ht tp://XXX.XXX.XXX/tools/analytics/index.php?module=Login&action=logme&login=AUSER&password=AMD5PASSWORD&url=http%3A%2F%2FXXX.XXX.XXX%2Ftools%2Fanalytics%2Findex.php%3Fmodule%3DWidgetize%26action%3Diframe%26moduleToWidgetize%3DDashboard%26actionToWidgetize%3Dindex%26idSite%3D1%26period%3Dweek%26date%3Dyesterday

Any ideas?


(krose) #7

[quote=krose @ Jul 17 2010, 03:25 AM]I have the same problem. Have tried embedding iframe dashboard in page with auto-login, with encoded redir. url. However all widgets in dashboard show “No data for this graph.” or “No data for this table”. The widgets do display correctly in the real dashboard mode when I login through the login page.

ht tp://XXX.XXX.XXX/tools/analytics/index.php?module=Login&action=logme&login=AUSER&password=AMD5PASSWORD&url=http%3A%2F%2FXXX.XXX.XXX%2Ftools%2Fanalytics%2Findex.php%3Fmodule%3DWidgetize%26action%3Diframe%26moduleToWidgetize%3DDashboard%26actionToWidgetize%3Dindex%26idSite%3D1%26period%3Dweek%26date%3Dyesterday

Any ideas?[/quote]

Oops. Logging in automatically with the url did work, I was just having a separate issue. It turned out that the “No Data” issue wen away when I switched the time period from Week to Day.


(J Stern) #8

Any update on having the dashboard working using token_auth for the new release? Ive been looking for confirmation of this but couldn’t find any.

Iam looking for a solution again because, I had a customer point out that, when they click on the daily line graph (the points are links), if they click on this link, they become superuser and can view all other websites statistics.

I just spend the day writing a script to use an API call to add all my users / pass / emails into the piwik_users table. I decided to try to pass along the siteid and token_auth, but the stats still dont populate…

Error in each Widget: Error: You can’t access this resource as it requires an ‘view’ access for the website id = 97.

with a login form. (Some widgets actuyally do have info in them…)

If I cannot use token_auth yet, is there a way using the logme method that wont give a user superuser access clicking on the chart points?


(J Stern) #9

If this helps, the line graph that I click on as a user to become a superuser is called “Overview with graph” ‘Evolution over the last days’.

Clicked on the dots on the lines and it will allow me to view any / all sites.


(vipsoft) #10

http://dev.piwik.org/trac/ticket/1353 has NOT been fixed yet.

The alleged privilege escalation is invalid because you use “logme” (form-less login) which sets the authentication cookie.


(J Stern) #11

Thanks you for the response. I have disabled that particular widget so customers cannot see the full dashboard and access other’s stats.


(Matthieu Aubry) #12

This bug has been fixed see the patch in: Dashboard & Sparklines should work when embedded with token_auth · Issue #1353 · matomo-org/matomo · GitHub