tassoman
(Tassoman)
February 16, 2023, 10:49am
#1
Is there a config.ini.php
setting to disable che confirmPassword feature for superadministrators?
Our company plugged in an external authentication manager who deals with it.
Is it possible to override it by using a custom Login plugin?
Hi @tassoman
Somebody already got this same idea
opened 07:49PM - 24 Oct 22 UTC
Enhancement
# Proposed solution
Proposed solution
- introduce a new INI setting to … let people disable the password confirmation.
- create a new FAQ "How do I disable the password confirmation prompt?" that explains how it's not recommended because it lowers security, but when it's required for some reason, it's possible.
- both core & WP users could leverage this setting if needed
For now i'd say we don't need to link to the FAQ within the app itself, as I guess it's very rarely needed so not worth maybe.
# Note: workaround available
* Create a file in path/to/matomo/config/config.php
* with the content: https://github.com/matomo-org/matomo/issues/19904#issuecomment-1308497307
# Bug description
Similar to https://github.com/matomo-org/plugin-LoginLdap/issues/310
In some cases a Matomo admin might want to disable the password prompt that they get when performing any admin actions in a Matomo instance (Eg. creating a new user, changing settings, etc.)
For Matomo instances that have a high number of users and/or measurables this can mean that a Matomo admin enters their password for confirmation many times in a potentially short period of time.
With the new Password prompt implementation it is possible to disable the requirement for a password and instead just have a "Yes/No" prompt: https://github.com/matomo-org/matomo/pull/19525
However, from a security standpoint it would likely be best to have this still enabled by default and perhaps add a config option that could disable the password prompt.
tassoman
(Tassoman)
April 4, 2023, 6:34pm
#3
Yes but was in since 4.13.3 not before. Thanks!