Wordpress embed visitor map

heurteph-ei · August 10, 2022, 9:32am

As you can see:

Widgetize: giving access to everybody to view a specific widget (token_auth on a per widget basis)

opened 07:34PM - 06 Jul 08 UTC

Enhancement

At the moment, users can only export widgets if they have made their statistics …publicly available. Often, people would be happy to share their number of visits (and show the evolution graph over the last 30 days for example), but they don't want to share other data (keywords, referers, etc.). At the moment widgets are shown only if stats are avaialble for the anonymous user, or if the user passes its token_auth to the widget. This is a problem as currently token_auth is like having the login + password. **Proposal** - each website is associated with a website_key that has VIEW access to the website data. - this key is the one passed for invoking the widgets. - it is expected that this key is Known to external users. Having this key means that all the website reports are readable. - during Authentication, in: /plugins/Login/Auth.php there will be a new sql query to select from piwik_site and try and match a website key; if matched, the login used is anonymous. anonymous user has read access but no write access (you can't create websites, users, goals, etc.). **Specification** - DB changes: new token_auth field of 32 chars in piwik_site - Migration: this token_auth must be randomly generated for all existing websites during migration. - API: the token_auth is now returned in the website responses from the SitesManager API, eg. in SitesManager.getSiteFromId(). When adding a new website, the token_auth must be generated. - Authentication: should be a small change in plugins/Login/Auth.php. Side note: we make sure that when the token_auth is empty in the DB (in case of migration issue for example), the authentication fails. - UI: the website_key is now added to all widgets embed fields URLs (for flash invocation, and iframe invocation) Downside The downside of this method is that the website_key is available to see all widgets for a website. This is rather open and will be an issue for some websites which will claim that it is not ok to open all the reports to everyone. The alternative would be to have a md5 hash generated for each tuple (widget, website), the Auth would then look in this list to authenticate. if anyone is interested and wants to build this feature, let us know in the comments

And also (I known you already saw this ;-))

So today there is no simple solution available…
Then you can either:

develop your own data proxy (in PHP, etc) that would connect your Matomo API with some credential and then filter unwanted data),
create a new Matomo plugin for this feature
create a PR to solve the Widgetize: giving access to everybody to view a specific widget (token_auth on a per widget basis) · Issue #5703 · matomo-org/matomo (github.com) feature request…