Working with Embedded Matomo Widgets

(Roddy A. Stegemann) #1

BACKGROUND: I recently loaded a Matomo widget from my 3rd party webserver to my local test server, and to my great surprise it worked. Reading the widget guide suggested, however,
that this is not possible without special user authorization.

QUESTION: Is it correct to assume that anyone can see the contents of a widget embedded on a webpage? If not, what must I do to make it possible?


(Lukas Winkler) #2


If view access to your website is enabled to anonymous users, everyone can see a widget. Otherwise you’ll need to add the access_token parameter.

But keep in mind that everyone with the access_token has full access to the corresponding user account.

(Roddy A. Stegemann) #3

The MANUAL: “Users with the ‘view’ permission can view all reports in Matomo (Piwik) for the website(s) the user is set to ‘view’.”

A POSSIBLE CONSEQUENCE?: This suggests that once a widget is made visible on a website to anonymous visitors, anyone who understands page source can discover the location of the piwik.php file, and anyone who understands both page source and Matomo has full access to all the data available for a website via a Matomo widget. One has only to write the appropriate query string and voilá: the widget appears! Is this an accurate assessment?

MY DESIRE: What I would like to achieve is the following: Display a select number of widgets for anonymous visitors without giving access to my entire Matomo database to those visitors knowledgeable about the creation and use of Matomo widgets.

QUESTION: Is my desire even possible without having to write an AJAX call?


(Lukas Winkler) #4


Your interpretation is correct and there is currently no way to limit which widgets a token can access.

There is a github issue about implementing this, but I can’t find it at the moment.

More info:

(Roddy A. Stegemann) #5

I was not thinking about using a token for specific users; rather, making VIEW available to anonymous users and then limiting their access to specific widgets. I can see, however, how this problem would apply to users both with a token and without.

OK. So, for the moment it is AJAX! Not a big deal, mind you, just a little more coding for users, a possible new project for Matomo.