-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable login for non-whitelisted IPs #22357
Disable login for non-whitelisted IPs #22357
Conversation
This pull request has been mentioned on Matomo forums. There might be relevant details there: https://forum.matomo.org/t/disable-login-and-all-emailing-for-non-superusers-admins/58013/3 |
Hi @FrancoisChaumont, thank you for taking the time and submitting the PR. |
Hi @michalkleiner, thanks for taking the time to look into this. Here's the use-case that lead to the PR:
|
@FrancoisChaumont Am I right that you are actually looking for a way how to restrict access for certain users to specific reports? So more something related to #1568 Restricting the login in the way you are trying to do it might not work as expected. The token_auth you would provide for loading a widgetized dashboard, can always be used to request/load any other widget and even the whole Matomo interface without the need to log in. |
Hi @sgiehl, not exactly. Just to confirm my understanding of accessing the "whole Matomo interface without the need to log in", is this only available when logme feature is active (config: login_allow_logme = 1)? |
Hey @sgiehl, just wondering if you had any updates on this. Could this work for the intended purpose? Is it missing something? ... Thanks |
@FrancoisChaumont sorry for not coming back earlier on this. |
@sgiehl No worries. Is login via token_auth only allowed with Login Token Auth plugin installed & activated or always? If always, is there an easy/built-in way to disable it? I'm still trying to figure out if this PR could fit my use-case. |
It is always enabled, as that is how our API authentication works. |
Hey @sgiehl, I think we're slowly drifting a bit from the original question. Do you think the above could be achieved? Using the changes provided in the PR? Or maybe some other ways already existing or yet to be implemented? |
@FrancoisChaumont No, that won't be possible at the moment. Accessing UI, widgetized reports or API is possible with the same tokens. You can't easily restrict that without the risk to break something. Matomo would need #21175 to allow something like that directly. So you could define tokens that are e.g. only valid for a certain widgeted reports or similar. That way a user wouldn't be able to use the same token for something else. If you wish to restrict some parts of your instance, you might need to do a custom implementation / plugin and hook into certain events in order to deny normal user accounts to access it. Anyway, thanks for your effort in creating this PR. |
Description:
This allows to disable login to non-whitelisted IPs and add some flexibility into the whitelist scope (i.e. for authentication & login).
A customized error message can be set to be displayed on the login page in order to inform about the reason for disabling login.
There are 3 new setting to play with:
Review