Matomo iframe widgets report “For embedding widgets super user token auths are not allowed” but auth token is read-only

notken · April 19, 2021, 12:45pm

(Anyone who uses Stackoverflow, sorry for the cross-post, but I’ve not had any answers on there.)

We have started using Matomo for analytics on some of our web sites.

We’re experimenting with adding iframe widgets and graphs into particular parts of our Web app for certain authorised users. To do this we set up a read-only user in Matomo, and created an api auth key for it. We use this key as part of the request URL for the Matomo widgets.

This works fine for anyone who doesn’t have their own Matomo login, but for me it’s using my browser cookie to override the api auth key. When logged in to Matomo and trying to view the analytics, I get the following message:

This user has super user access. For embedding widgets super user token auths are not allowed.

To get rid of this message I have to log out of the Matomo dashboard first. Then the widgets work fine, using the api auth key.

This isn’t really ideal. Is there any way to have it be forced to use the key in the URL and not what’s in my cookie or browser?

Lukas · April 26, 2021, 12:41pm

Hi,

This might be the same issue as this one:

github.com/matomo-org/matomo

Widgetize request with token_auth param fails if superuser session exists

opened 08:09PM - 11 Mar 21 UTC

closed 03:15AM - 11 May 21 UTC

carlgrundberg

Bug

As your documentation says I have created a view-only user with a token and when… using that token to show a widget I'm getting an error saying "This user has superuser access". It works if I load the same url while logged out or in another browser. Seems odd if it shouldn't work since this should be a fairly common case. Example url: http://localhost:8000/index.php?module=Widgetize&action=iframe&forceView=1&disableLink=1&token_auth=xxx&moduleToWidgetize=VisitsSummary&actionToWidgetize=getEvolutionGraph&viewDataTable=graphEvolution&idSite=1&date=2021-02-09,2021-03-10&period=range ## Expected Behavior It should be possible to show the widget even if you are currently logged in as a super user in the same browser. ## Current Behavior Error message saying "This user has super user access. For embedding widgets super user token auths are not allowed. See our faq for more information." ## Possible Solution I have tried to follow the code and it seems that when using the token_auth parameter there is a call to the method `Request::reloadAuthUsingTokenAuth` eventually landing in `Access::reloadAccess`, however it return without reloading since `$this->hasSuperUserAccess` is still true from the session auth. ## Steps to Reproduce (for Bugs) 1. Create user with view permissions and generate a token 2. Create a widgetized url and add the token to the url 3. Load the url in a browser where you are logged in as a super user ## Context We are trying to embed widgets in an external dashboard. ## Your Environment I'm running your latest docker image. * Matomo Version: 4.2.1

notken · April 26, 2021, 1:28pm

Yes, thanks. I did end up reporting it to github, and we’ve merged it with the ticket you linked to.

Initially I thought I was doing something wrong, but it does look like it’s a bug.

yannick_berges · February 25, 2022, 9:27pm

Hello sorry i have same problem but i dont understand thé solution
I create create token my admin account and its the problem ?

notken · March 1, 2022, 11:51am

Hi Yannick. You don’t want the API token on your admin account if you want these widgets to be public. Instead you create a special new account with read-only access, and then generate the API key for that account:

Create new read-only account for the Web site (or system as a whole)
Log out of the matomo UI
Log in to the new read-only account in the UI
Generate an API key and keep a note of it
Log out of the read-only account and log back in to your normal admin account.

Hope that helps.

yannick_berges · May 11, 2022, 7:22pm

thanks for explain !