Page overlay not working - cross-domain Matomo - error "You can't access this resource as it requires 'view' access for the website id"

rmpel · September 11, 2018, 1:16pm

Hello all.

I have searched for this, but the view topics I could find do not apply to our situation.

We’re using Matomo 3.6.0, a central installation for multiple websites, and we’re logged in with the super-user (but also a regular user with the appropriate access rights has been tested)

We’re using the Page Overlay feature with “overlay_disable_framed_mode = 1” because of cross-domain.
We’ve tried to set-up the appropriate frame-related headers which works (the site could load in the frame) but the tracker then complaints with the error

Blocked a frame with origin “(website)” from accessing a frame with origin “(matomo installation)”. Protocols, domains, and ports must match.

every attempt to get this cross-domain scripting allowed failed, so we went with the frame-less option.

the website loads, but the site then responds with an alert-box with the before-mentioned error;

Error: You can’t access this resource as it requires ‘view’ access for the website id = 1.

we’ve tried with the super-user account, we’ve tried with an admin account which has (verified) the ‘view’ access right on the website in question.

I hope any of you recognises this problem and has a fix for it, because we’re at a loss.

some topics hint a bug, but supposedly fixed in 3.5
some topics hint at frame-busting (which we disabled on the site to be sure, no effect)
other topics refer to piwik 1 and 2, way too old.

any and all help is appreciated.

Thank you.

Remon.

fdellwing · September 11, 2018, 1:47pm

Just to be sure: You setup the headers both ways? You need to allow Matomo to frame the page and the page to access Matomo.

rmpel · September 12, 2018, 12:00pm

We did, but didn’t help, so we probably did not do it properly, but to avoid framing issues, we went with the frame-less option for now. That results in the error message. Once that’s been solved, we can try to get the framing working.

Oh, forgot to mention in topic;

we also added the ‘cors_domains[]’ items to the config file, didn’t help

Thank you for your response. We’ll keep trying

fdellwing · September 12, 2018, 12:02pm

It seems like you are not the only user with that problem:

github.com/matomo-org/matomo

Error: You can't access this resource as it requires 'view' access for the website id = 60.

opened 03:44PM - 10 Sep 18 UTC

closed 05:59AM - 03 Oct 18 UTC

tohn

Bug

I'm using Page Overlay for one of our sites and have super user permissions for …my user. Therefore I don't understand, why I can't see these bubbles on the page overlay. Everthing else (like Open Row Evolution, Open Transitions, Open segmented Visitor Log) works fine. Both sites (Matomo + Website) use TLS. But I only get the page, this error and after clicking ok in the right corner: "Loading following pages ..." I enabled debug mode and got this output: <pre> DEBUG Piwik\Plugin\Manager[2018-09-10 15:33:36 UTC] [43c7b] Loaded plugins: CorePluginsAdmin, CoreAdminHome, CoreHome, WebsiteMeasurable, Diagnostics, CoreVisualizations, Proxy, API, Widgetize, Transitions, LanguagesManager, Actions, Dashboard, MultiSites, Referrers, UserLa nguage, DevicesDetection, Goals, Ecommerce, SEO, Events, UserCountry, GeoIp2, VisitsSummary, VisitFrequency, VisitTime, VisitorInterest, RssWidget, Monolog, Login, UsersManager, SitesManager, Installation, CoreUpdater, CoreConsole, ScheduledReports, UserCountryMap, Live, C ustomVariables, PrivacyManager, ImageGraph, Overlay, SegmentEditor, Insights, Morpheus, Contents, Resolution, DevicePlugins, Heartbeat, Intl, Marketplace, ProfessionalServices, UserId, CustomPiwikJs, DBStats, Provider, Bandwidth, CustomOptOut, LogViewer, SecurityInfo, Site Migration, TasksTimetable DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] /var/www/matomo/core/Access.php(505): You can't access this resource as it requires 'view' access for the website id = 60. DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #0 /var/www/matomo/core/Piwik.php(511): Piwik\Access->checkUserHasViewAccess('60') DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #1 /var/www/matomo/plugins/SitesManager/API.php(223): Piwik\Piwik::checkUserHasViewAccess('60') DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #2 /var/www/matomo/plugins/Overlay/API.php(47): Piwik\Plugins\SitesManager\API->getSiteFromId('60') DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #3 [internal function]: Piwik\Plugins\Overlay\API->getExcludedQueryParameters('60') DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #4 /var/www/matomo/core/API/Proxy.php(236): call_user_func_array(Array, Array) DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #5 /var/www/matomo/core/API/Request.php(262): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'getExcludedQuer...', Array) DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #6 /var/www/matomo/plugins/API/Controller.php(41): Piwik\API\Request->process() DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #7 [internal function]: Piwik\Plugins\API\Controller->index() DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #8 /var/www/matomo/core/FrontController.php(560): call_user_func_array(Array, Array) DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #9 /var/www/matomo/core/FrontController.php(146): Piwik\FrontController->doDispatch(NULL, NULL, NULL) DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #10 /var/www/matomo/core/dispatch.php(34): Piwik\FrontController->dispatch() DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #11 /var/www/matomo/index.php(27):require_once('/var/www/matomo...') DEBUG API[2018-09-10 15:33:36 UTC] [43c7b] #12 {main} </pre> I'm quite lost right now. Can somebody help me? :)

rmpel · September 12, 2018, 12:15pm

Golden tip, by the way, the ‘cors_domains’ setting seems not to do anything. Would have suspected/hoped that setting would be used to set the appropriate content-security-policy headers, but alas, it does not.

I have hard-coded the CSP frame-ancestors with all domains used in the Matomo installation and the framing issue is resolved.

for future reference:
on matomo site, htaccess:
header always set Content-Security-Policy “frame-ancestors ‘self’ your-website-1-domain_com www_your-website-1-domain_com your-website-2-domain_com www.your-website-2-domain_com”

on ‘client’ sites, htaccess:
header always set Content-Security-Policy “frame-ancestors ‘self’ your-matomo-service-domain_com”

that did the trick for me, again, Fabian, thanks

the access-control related error remains however…

(as I can only post 2 links, I have mangled the domain names they were just indicative fake names, hope everyone understands what is meant)

rmpel · September 13, 2018, 7:25am

In GitHub, a pull request is made that solves the problem. I couldn’t find the perfect spot to say this, to confirm the solution works, so here it is.

the pull request: In Overlay do not call API directly since it does not have access to the token auth. by diosmosis · Pull Request #13420 · matomo-org/matomo · GitHub

Could not find a “get diff file” button, so I manually applied these changes to the files in question and it works beautifully! thank you all!!!

fdellwing · September 13, 2018, 7:36am

13406-overlay-api.patch (3,9 KB)