@anonymous-piwik-user opened this Issue on June 14th 2009

Unfortunetely i have made a mistake in creating the url for access a piwik table from outside:

http://..url../piwik/?module=API&method=VisitsSummary.getVisits&idSite=1&date=today&period=day&format=html&filter_limit=10&token_auth%20=ecb47dbe1601a91c668653bfd2c05d3b

As you can see, after the token_auth i have one (1) space.
Funny now, becuase this user has NO access, but can see the result!
If the url is given in correct format (no space between token_auth and the =, the access is forbidden (as it should):
You can't access this resource as it requires a 'view' access for the website id = 1.

But further funny, if there are 2 spaces (1 BEFORE the = and 1 after like: token_auth%20=%20ecb47dbe1601a91c668653bfd2c05d3b
access is allowed!

This seems to me as a heavy bug.

Keywords: authentification,token,access

@robocoder commented on June 14th 2009 Contributor

Unable to reproduce. Please check that the anonymous user doesn't have View access.

This Issue was closed on June 14th 2009
Powered by GitHub Issue Mirror