BACKGROUND: I recently loaded a Matomo widget from my 3rd party webserver to my local test server, and to my great surprise it worked. Reading the widget guide suggested, however,
that this is not possible without special user authorization.
QUESTION: Is it correct to assume that anyone can see the contents of a widget embedded on a webpage? If not, what must I do to make it possible?
The MANUAL: “Users with the ‘view’ permission can view all reports in Matomo (Piwik) for the website(s) the user is set to ‘view’.”
A POSSIBLE CONSEQUENCE?: This suggests that once a widget is made visible on a website to anonymous visitors, anyone who understands page source can discover the location of the piwik.php file, and anyone who understands both page source and Matomo has full access to all the data available for a website via a Matomo widget. One has only to write the appropriate query string and voilá: the widget appears! Is this an accurate assessment?
MY DESIRE: What I would like to achieve is the following: Display a select number of widgets for anonymous visitors without giving access to my entire Matomo database to those visitors knowledgeable about the creation and use of Matomo widgets.
QUESTION: Is my desire even possible without having to write an AJAX call?
I was not thinking about using a token for specific users; rather, making VIEW available to anonymous users and then limiting their access to specific widgets. I can see, however, how this problem would apply to users both with a token and without.
OK. So, for the moment it is AJAX! Not a big deal, mind you, just a little more coding for users, a possible new project for Matomo.
hmm, I dont think this happened with piwik. I just accidentally deleted the old directory so had to install this all again and saw this issue. Do you think password protecting the matomo folder would help or it will clash with the matomo script too