Conversation
mneudert
force-pushed
the
dev-14508
branch
2 times, most recently
from
b69ac61 to
b99251c
Compare
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
Contributor
|
If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'. |
github-actions
Bot
added
the
Stale
mneudert
added
Do not close
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Until now, every auth token in Matomo inherited the full permissions of the user who created it. That meant a token shared with a third-party tool, or accidentally leaked, could do anything its owner could do — including superuser actions for superuser accounts. There was no way to hand out a "read-only" or "write-only" token without creating a separate user just for that purpose.
This PR introduces per-token access levels. When creating a new auth token, users can now choose the highest permission level the token is allowed to use: inherit the user's own access (the existing behaviour, and the default), or restrict the token to view, write, or admin. Superusers can also issue superuser-scoped tokens. The dropdown only offers levels the creator is themselves allowed to grant, so an admin user cannot mint a superuser token.
At request time, Matomo enforces the chosen ceiling across all entry points — the reporting API, tracker, and CLI alike. A token marked as write-only will be treated as write-only even if the underlying user account is a superuser, so the worst a leaked token can do is bounded by what was selected when it was created. Existing tokens are unaffected: a NULL access level continues to mean "inherit the user's access", which preserves the previous behaviour for every token created before the upgrade.
Checklist
Review