-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Page Overlay ignores token_auth in URL when opened from a Widget #17640
Comments
Probably related to this PR: #17520 |
@tsteur I tested this on 4.2.1 and had the exact same error. I tried appending the |
Weird, it worked for me there using
and then opening the page overlay. Tested this in a private window where you aren't logged in. |
actually 4.2 and 4.3 works for me nicely with only the token. |
I can't reproduce the issue actually |
@flamisz removing The link that is generated for the overview on both my testing instances is the following: |
@tsteur the same for me, it works on the latest version with a view token even when the |
@flamisz If it helps narrow it down, I'm testing using localhost for the iFrame widget with an externally hosted Matomo install (Accessible from the internet). |
great find @flamisz could you also |
@tsteur it happens there as well. it's not a regression in my opinion. |
Great, thanks @flamisz I moved it out of the milestone for now. |
I think the token_auth should be appended to all URLs in Widgets that have it in the link or iframe widget. I think it should not create a new session as this could be confusing. If it starts a session, the view user would be logged in and potentially logged out of another account the person is using or be logged in when they were not. We could use the If we append the token_auth to every URL, maybe it could be made part of a core JS library. However, this might prove tricky to do. Maybe an event that bubbles up the DOM could be caught and inject it so to speak, but this could be complicated to do and have other downsides later that we don't consider now. The easy thing to do would be to just ask plugin developers to append any token_auth parameters to the URLs used in their plugins. We could add a function to the framework that does this automatically. For example, a plugin dev could call something like: var url = '/index.php?param1=value1&' + tokenAuth(); If we later have more URL parameters that need to be added, we could also generically do something like: function appendAdditionalURLParameters(url) {
return url + '&token_auth=...&other_matomo_url_parameters=values';
}
// usage
var url = appendAdditionalURLParameters('/index.php?something=else'); Of course the function name could be shortened to something like: function aaup(url) {
// ...
} |
@geekdenz I'm not entirely sure but I think there are three issues: issue 1When you embed the widget eg like this:
then you click on overlay then the URL includes the force_api_session URL parameter which it shouldn't see below (it's not really a problem but it shouldn't contain this parameter in this case when it's not set in the original URL)
There is a method issue 2The next problem is that it seems to call the
This triggers an exception and the login screen to be shown (as it has the iframe buster on). Meaning issue 3Same applied to where it tries to render the sidebar in https://github.com/matomo-org/matomo/blob/4.4.1-rc1/plugins/Overlay/javascripts/Piwik_Overlay.js#L40-L53 --> a It's probably not really to do with plugins but really with the implementation in overlay.js Hope this helps |
Thanks @tsteur . It does. I found this setting: [General]
enable_framed_pages = true here: Lines 458 to 462 in a35070b
Should this be required for this to work? I also found it in the Overlay code here: matomo/plugins/Overlay/javascripts/Overlay_Helper.js Lines 31 to 32 in 1155273
Otherwise we could add this parameter I assume:
|
Sorry, no adding the module parameter probably does not work as it is the Overlay module already. |
Maybe we could just open it in the current window/tab if it is a widget? Would that make sense from a user's perspective? |
While testing I changed the
The overlay helper you are referencing might need to be changed indeed 👍 |
@tsteur Please consider checking out my branch above. I have not created a PR yet, as there are no unit tests and I have not done extensive testing. You could check it out though to see if we're on the right track. |
@geekdenz generally I think only a few changes in the Overlay plugin should be needed. All the other changes can be likely reverted. I'll also leave a comment in the code |
actually be good to create a PR already so I can leave comments. You can then mark it as a "draft". It will then also run the overlay UI tests etc. |
… correct in other code for convenience #17640
…client side while validating token_auth in View::shouldPropagateTokenAuthInAjaxRequests() #17640
…is prepended to token_auth url param #17640
* add token_auth to overlay requests where necessary #17640 * ensure all links on overlay page work as expected both, with token_auth and when logged in #17640 * DRY force_api_session=1 and token_auth parameters in broadcast.js and correct in other code for convenience #17640 * polish logic for overlay with token_auth and change minimal logic in client side while validating token_auth in View::shouldPropagateTokenAuthInAjaxRequests() #17640 * use 'string' as string parameter #17640 * simplify token_auth check #17640 * revert git submodule to 4.x-dev version #17640 * return $tokenAuth string (truthy) only, simplify condition, ensure & is prepended to token_auth url param #17640 * revert submodule change * Update core/View.php Co-authored-by: Stefan Giehl <stefan@matomo.org> Co-authored-by: sgiehl <stefan@matomo.org>
Expected Behavior
When embedding Matomo widgets in an iFrame, it is expected that all links in the widget will work when using a
token_auth
with the correct permissions.Current Behavior
When embedding Matomo widgets that contain links to view the Page Overlay (For example the Pages or Page URL reports) the Page Overlay links open in a new tab and force the user to log in instead of using the
token_auth
present in the URL.This causes any users that are already logged in to Matomo but don't have access to the site to see
You do not have access
in the Page Overlay UI.Users that are not logged in will see the error message
Your session has expired due to inactivity. Please log in to continue.
Steps to Reproduce (for Bugs)
token_auth
of a user that hasview
access to the reportYour Environment
The text was updated successfully, but these errors were encountered: