-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add INI setting to disable Password Confirmation #19904
Comments
I will put this in the backlog for prioritization. But this may be will cause a security concern. |
I installed matomo 10 minutes ago and I am about ready to give up due to this weird behavior. Please make it optional as soon as possible. It's super annoying. |
How do other Saas tools like Github handle this? Do they remember for like 5minutes that the password was given, or something like this? There must be a common way to solve this problem and it would be great to learn what it is so we don't have to reinvent the wheel (and ideally we don't introduce a new setting...) |
There are a couple of Wordpress plugin users that can't use these password protected features at all, they keep getting incorrect password notifications. They tried updating their passwords, using simpler passwords, using more complex passwords and updating their passwords directly in the db. Nothing worked for them. I was unable to reproduce this locally. |
Proposed solution
For now i'd say we don't need to link to the FAQ within the app itself, as I guess it's very rarely needed so not worth maybe. |
It is kind of already possible to disable the password check by adding this to
That way the password confirmation boxes are still shown, but you can simply click ok, without entring a password. |
Based on @sgiehl assessment, i'm moving this out of the milestone. |
This issue has been mentioned on Matomo forums. There might be relevant details there: https://forum.matomo.org/t/how-to-disable-confirmpassword-feature/49834/2 |
Because a workaround is available and documented here: #19904 (comment) And because disabling this feature in theory shouldn't be required (and SAML / LDAP plugins handle it correctly) then we can close this issue I think. please comment or reopen if i missed something. |
Proposed solution
Proposed solution
For now i'd say we don't need to link to the FAQ within the app itself, as I guess it's very rarely needed so not worth maybe.
Note: workaround available
Bug description
Similar to matomo-org/plugin-LoginLdap#310
In some cases a Matomo admin might want to disable the password prompt that they get when performing any admin actions in a Matomo instance (Eg. creating a new user, changing settings, etc.)
For Matomo instances that have a high number of users and/or measurables this can mean that a Matomo admin enters their password for confirmation many times in a potentially short period of time.
With the new Password prompt implementation it is possible to disable the requirement for a password and instead just have a "Yes/No" prompt: #19525
However, from a security standpoint it would likely be best to have this still enabled by default and perhaps add a config option that could disable the password prompt.
The text was updated successfully, but these errors were encountered: