Skip to content

Comments

Support token_auth with higher access for configurable Module.Action endpoints#24103

Open
mneudert wants to merge 1 commit into5.x-devfrom
id-11
Open

Support token_auth with higher access for configurable Module.Action endpoints#24103
mneudert wants to merge 1 commit into5.x-devfrom
id-11

Conversation

@mneudert
Copy link
Member

@mneudert mneudert commented Feb 19, 2026
edited
Loading

Description

Requesting a non-API endpoint in Matomo using a regular token_auth is, by default, only allowed with a "view only" access backed account. For higher privileges required activating enable_framed_allow_write_admin_token_auth:

matomo/config/global.ini.php

Lines 553 to 558 in 5634dff

; Set to 1 to allow using token_auths with write or admin access in iframes that embed Matomo.
; Note that the token used will be in the URL in the iframe, and thus will be stored in webserver
; logs and possibly other places. Using write or admin token_auths can be seen as a security risk,
; though it can be necessary in some use cases. We do not recommend enabling this setting, for more
; information view the FAQ: https://matomo.org/faq/troubleshooting/faq_147/
enable_framed_allow_write_admin_token_auth = 0

This is a global setting, for everything, and cannot be limited to certain plugins if one wants to keep the risk low.

This PR adds a new config option with a naming not specifically tied to "framed pages", that allows configuring a list of Module.Action endpoints to be accessible by token_auth. Might need some future improvements to adjust the error message, as that always hints at the widgetization/embedding, but might be useful for any controller that needs token authentication and does not fit in the API layer.

It still keeps the super user access guard in place. Only write/admin level tokens are possible.

Checklist

  • [✔] I have understood, reviewed, and tested all AI outputs before use
  • [✔] All AI instructions respect security, IP, and privacy rules

Review

@mneudert mneudert self-assigned this Feb 19, 2026
@mneudert mneudert changed the title Support token_auth with higher access for configurable Module.Action … Support token_auth with higher access for configurable Module.Action endpoints Feb 19, 2026
@mneudert mneudert added this to the 5.8.0 milestone Feb 19, 2026
@mneudert mneudert removed their assignment Feb 19, 2026
@mneudert mneudert requested a review from a team February 19, 2026 17:32
@mneudert mneudert marked this pull request as ready for review February 20, 2026 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

5.8.0

Development

Successfully merging this pull request may close these issues.

1 participant

@mneudert