matomo-org · sgiehl · Aug 13, 2021 · Aug 3, 2021 · Aug 5, 2021 · Aug 5, 2021
diff --git a/misc/log-analytics b/misc/log-analytics
diff --git a/plugins/Annotations/javascripts/annotations.js b/plugins/Annotations/javascripts/annotations.js
@@ -112,6 +112,7 @@
 
             var ajaxRequest = new ajaxHelper();
             ajaxRequest.addParams(ajaxParams, 'get');
+            ajaxRequest.withTokenInUrl();
             ajaxRequest.setFormat('html');
             ajaxRequest.setCallback(callback);
             ajaxRequest.send();

diff --git a/plugins/CoreHome/angularjs/common/services/piwik-api.js b/plugins/CoreHome/angularjs/common/services/piwik-api.js
@@ -338,7 +338,7 @@ var hasBlockedContent = false;
         }
 
         return {
-            withTokenInUrl: withTokenInUrl,
+            withTokenInUrl: withTokenInUrl, // technically should probably be called withTokenInPost
             bulkFetch: bulkFetch,
             post: post,
             fetch: fetch,

diff --git a/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js b/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js
@@ -113,9 +113,7 @@
                             url += '&showtitle=1';
                         }
 
-                        if (piwik.shouldPropagateTokenAuth && broadcast.getValueFromUrl('token_auth')) {
-                            url += '&force_api_session=1&token_auth=' + broadcast.getValueFromUrl('token_auth');
-                        }
+                        url = piwik.broadcast.addTokenOrForceApiTo(url);
 
                         url += '&random=' + parseInt(Math.random() * 10000);
 

diff --git a/plugins/CoreHome/javascripts/broadcast.js b/plugins/CoreHome/javascripts/broadcast.js
@@ -177,6 +177,23 @@ var broadcast = {
         }
     },
 
+    /**
+     * add token or force_api_session=1 to url if required for a GET request
+     * @param url the GET request, must be GET as we want to avoid adding
+     *        this if possible for security reasons
+     * @returns {*} augmented url
+     */
+    addTokenOrForceApiTo: function(url) {
+        var token_auth = this.getValueFromUrl("token_auth");
+        if (token_auth.length) { // this is required because the date range does not work otherwise
+            url += '&token_auth='  + encodeURIComponent(token_auth);
+            if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
+                url += '&force_api_session=1';
+            }
+        }
+        return url;
+    },
+
     isWidgetizedDashboard: function() {
         return broadcast.getValueFromUrl('module') == 'Widgetize' && broadcast.getValueFromUrl('moduleToWidgetize') == 'Dashboard';
     },

diff --git a/plugins/CoreHome/javascripts/dataTable_rowactions.js b/plugins/CoreHome/javascripts/dataTable_rowactions.js
@@ -474,6 +474,7 @@ DataTable_RowActions_RowEvolution.prototype.showRowEvolution = function (apiMeth
 
     var ajaxRequest = new ajaxHelper();
     ajaxRequest.addParams(requestParams, 'get');
+    ajaxRequest.withTokenInUrl();
     ajaxRequest.setCallback(callback);
     ajaxRequest.setFormat('html');
     ajaxRequest.send();

diff --git a/plugins/Live/javascripts/SegmentedVisitorLog.js b/plugins/Live/javascripts/SegmentedVisitorLog.js
@@ -135,6 +135,7 @@ var SegmentedVisitorLog = function() {
 
         var ajaxRequest = new ajaxHelper();
         ajaxRequest.addParams(requestParams, 'get');
+        ajaxRequest.withTokenInUrl();
         ajaxRequest.setCallback(callback);
         ajaxRequest.setFormat('html');
         ajaxRequest.send();

diff --git a/plugins/Live/javascripts/visitorProfile.js b/plugins/Live/javascripts/visitorProfile.js
@@ -155,8 +155,9 @@
             // append token_auth dynamically to export link
             $element.on('mousedown', '.visitor-profile-export', function (e) {
                 var url = $(this).attr('href');
-                if (url.indexOf('&token_auth=') == -1) {
-                    $(this).attr('href', url + '&force_api_session=1&token_auth=' + piwik.token_auth);
+                var augmentedUrl = piwik.broadcast.addTokenOrForceApiTo(url);
+                if (augmentedUrl !== url) {
+                    $(this).attr('href', augmentedUrl);
                 }
             });
 

diff --git a/plugins/Morpheus/icons b/plugins/Morpheus/icons
diff --git a/plugins/Overlay/Overlay.php b/plugins/Overlay/Overlay.php
@@ -28,6 +28,7 @@ function registerEvents()
      */
     public function getJsFiles(&$jsFiles)
     {
+        $jsFiles[] = "plugins/CoreHome/javascripts/broadcast.js";
         $jsFiles[] = 'plugins/Overlay/javascripts/rowaction.js';
         $jsFiles[] = 'plugins/Overlay/javascripts/Overlay_Helper.js';
     }

diff --git a/plugins/Overlay/javascripts/Overlay_Helper.js b/plugins/Overlay/javascripts/Overlay_Helper.js
@@ -27,10 +27,7 @@ var Overlay_Helper = {
             url += '&segment=' + encodeURIComponent(segment);
         }
 
-        var token_auth = piwik.broadcast.getValueFromUrl("token_auth");
-        if (token_auth.length && piwik.shouldPropagateTokenAuth) {
-            url += '&force_api_session=1&token_auth='  + encodeURIComponent(token_auth);
-        }
+        url = piwik.broadcast.addTokenOrForceApiTo(url);
 
         if (link) {
             url += '#?l=' + Overlay_Helper.encodeFrameUrl(link);

diff --git a/plugins/Overlay/javascripts/Piwik_Overlay.js b/plugins/Overlay/javascripts/Piwik_Overlay.js
@@ -50,6 +50,7 @@ var Piwik_Overlay = (function () {
         globalAjaxQueue.abort();
         var ajaxRequest = new ajaxHelper();
         ajaxRequest.addParams(params, 'get');
+        ajaxRequest.withTokenInUrl(); // needed because it is calling a controller and not the API
         ajaxRequest.setCallback(
             function (response) {
                 hideLoading();

diff --git a/plugins/Overlay/templates/index.twig b/plugins/Overlay/templates/index.twig
@@ -72,9 +72,7 @@
             Piwik_Overlay.siteUrls = {{ siteUrls|json_encode|raw }};
 
             var iframeSrc = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ rawDate }}&segment={{ segment }}';
-            if (piwik.shouldPropagateTokenAuth) {
-                iframeSrc += '&force_api_session=1&token_auth=' + piwik.token_auth;
-            }
+            iframeSrc = piwik.broadcast.addTokenOrForceApiTo(iframeSrc);
 
             Piwik_Overlay.init(iframeSrc, '{{ idSite }}', '{{ period }}', '{{ rawDate }}', '{{ segment }}');
 

diff --git a/plugins/Overlay/templates/index_noframe.twig b/plugins/Overlay/templates/index_noframe.twig
@@ -6,10 +6,7 @@
 <div id="overlayNoFrame">
 
     <script type="text/javascript">
-        var newLocation = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ date }}&segment={{ segment }}';
-        if (piwik.shouldPropagateTokenAuth) {
-            newLocation += '&force_api_session=1&token_auth=' + piwik.token_auth;
-        }
+        var newLocation = piwik.broadcast.addTokenOrForceApiTo('index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ date }}&segment={{ segment }}');
 
         var locationParts = window.location.href.split('#');
         if (locationParts.length > 1) {