matomo icon indicating copy to clipboard operation
matomo copied to clipboard

Published 20 hours ago verified publisher icon matomo-org

Anonymous user access doesn't send any security alerts or require password verification

Open Starker3 opened this issue 2 years ago • 9 comments

There is currently no security alert sent when the anonymous user is enabled for a Matomo instance. It also doesn't require a password for verification.

This means that any user that can set access for user accounts for a site/measurable could enable it without properly reading the warning and allow public access to their reports.

It would be good from a security perspective to do the following:

  1. Send an email alert to all super users that the anonymous user has been given access to site(s)
  2. Require password verification (There is already a popup, but this can be clicked without needing a password)
  3. Potentially send an email notification once a week/month to super users as a scheduled task so that they are reminded that their reports are publicly accessible. This would be useful for people who already have the anonymous user active and wouldn't have got the security alert.

Starker3 avatar Aug 08 '22 04:08 Starker3

Would you mind defining what the expected behavior should be when selecting multiple users (including anonymous) in the list and giving all view access at once? Currently not even the additional access warning is shown in that case.

sgiehl avatar Aug 12 '22 12:08 sgiehl

FYI it's actually too easy to give an anonymous user view access by accident. Especially using the multi select. Maybe an anonymous user cannot be enabled in the UI along with other users in the future?

And/or maybe ideally the anonymous user wouldn't appear in the users list until specifically enabled to appear there. We could always show eg this menu item:

image

and have a setting to enable/disable the anonymous user setting feature (just a random example). image

Just few ideas.

tsteur avatar Aug 14 '22 20:08 tsteur

Just confirm the changes for this issue. @mattab @tsteur

  • Have a separate setting page for anonymous user to enable/disable, require password confirmation on change.
  • Remove anonymous user from the user manage page

Question:

  • Do we need @Javi-Ormaechea to confirm the changes, due to a UI update?
  • Do we still send emails to the super admin when anonymous user access is being changed?

peterhashair avatar Nov 06 '22 21:11 peterhashair

@mattab can you please offer your thoughts on @peterhashair's approach and questions here?

justinvelluppillai avatar Nov 08 '22 23:11 justinvelluppillai

Additionally:

  • Ask for password confirmation when Enabling the anonymous user in the new screen
  • Send an email to all Super Users to notify them that this website was made public to anonymous

The proposed new screen (inspired by https://user-images.githubusercontent.com/273120/184553332-1de9f682-9e77-4f1a-93d6-3863d84aa9dc.png) & email message microcopy will be provided by @Javi-Ormaechea shortly

mattab avatar Nov 09 '22 02:11 mattab

@mattab any update on this?

peterhashair avatar Nov 13 '22 20:11 peterhashair

First screen has the header, intro copy and checkbox.

01-anonymous-user

Second screen, once the user clicks on the checkbox the modal requesting a password appears.

02-anonymous-user

Third screen, introduces the inline notification above the header (as we currently do), with the message ‘Public access to your data is enabled. You can disable it at any time by unchecking the box’.

And the options for the users to manage what the anonymous users can see:

  • Select what users can see
  • Select the data shown by default

03-anonymous-user

Javi-Ormaechea avatar May 15 '23 23:05 Javi-Ormaechea

Hi @Javi-Ormaechea In your suggestion, anonymous user can only access one single or all sites... Impossible to give access to some of them...

heurteph-ei avatar May 16 '23 08:05 heurteph-ei

Context: Users can enable 'anonymous users' at any point to grant public access to their data. Once the 'anonymous user' is enabled a new sub-section on the nav gets created called 'anonymous user' where users can manage what the 'anonymous user' can see but this section doesn't appear straight away unless the user refreshes the page which means that it is not easy to find.

Problem: We are not informing users that enabling the 'anonymous user' gives these public access to their data, it also doesn't require a password for verification which means that any user could enable it without any warning of any sort. The new section created to manage the 'anonymous user' doesn't appear straight away which means quite a few users could me missing it.

Solution: The 'anonymous user' sub section will be now fixed and found under 'system' and below 'user' where users can enable and disable access to 'anonymous user' by clicking on the checkbox. 01-anonymous-user-checkbox

Once the checkbox gets clicked a modal will ask users for a password verification. 02-anonymous-user-enter-password

Once the 'anonymous user' gets enabled the settings will appear for users to define 'what can they see' and 'what data is shown by default' - we will also show a warning notification at all times for all users to be aware that 'Public access to their data is enabled and can be disabled at any time.'
03-anonymous-user-options

As an optimisation we are also adding the chance for users to provide access to multiple sites by clicking on 'add another website' once they select the 'Dashboard for a specific website' option under 'what users can see'. It will display another dropdown for users to select from their available sites, and this action can be performed as many times as needed. 04-anonymous-user-add-another-website

Javi-Ormaechea avatar May 23 '23 23:05 Javi-Ormaechea