Ticket #799 (closed Bug: worksforme)

Opened 8 months ago

Last modified 8 months ago

Authentification - Token

Reported by: mic Owned by:
Priority: critical Milestone: Piwik 0.4.1
Component: Core Keywords: authentification,token,access
Cc: Sensitive:

Description

Unfortunetely i have made a mistake in creating the url for access a piwik table from outside: 

http://..url../piwik/?module=API&method=VisitsSummary.getVisits&idSite=1&date=today&period=day&format=html&filter_limit=10&token_auth%20=ecb47dbe1601a91c668653bfd2c05d3b

As you can see, after the token_auth i have one (1) space. Funny now, becuase this user has NO access, but can see the result! If the url is given in correct format (no space between token_auth and the =, the access is forbidden (as it should): You can't access this resource as it requires a 'view' access for the website id = 1.

But further funny, if there are 2 spaces (1 BEFORE the = and 1 after like: token_auth%20=%20ecb47dbe1601a91c668653bfd2c05d3b access is allowed!

This seems to me as a heavy bug.

Change History

Changed 8 months ago by vipsoft

  • status changed from new to closed
  • resolution set to worksforme

Unable to reproduce. Please check that the anonymous user doesn't have View access.

Note: See TracTickets for help on using tickets.