Matomo: Authorization problems in 3.7.0

Did you check for any JavaScript or PHP errors?

Thanks for your reply.

In the JavaScript console i get:

Possibly unhandled rejection: You can't access this resource as it requires 'view' access for the website id = 1. index.php:245:467
e/< [...]/analytics/index.php:245:467
Cf/this.$getphp:217:340
g [...]/analytics/index.php:257:360
$digest [...]/analytics/index.php:269:70
$apply [...]/analytics/index.php:272:279
l [...]/analytics/index.php:224:393
zg/php:230:297

I can't check the PHP logfiles because the site is installed on a shared hosting enviroment.

Are there any special requirements for PHP? Can i check the database, if everything is set up correctly?

The installer should check the PHP env while installing. Can you check if your shared hosting is using mod_sec2? Matomo does not work with most configs of mod_sec2. You could ask your hoster to send you the logs?

This sounds quite similar to a lot of other unsolved issues that have been reported recently:
https://forum.matomo.org/t/keep-getting-different-cant-access-this-resource-error-message-when-i-am-using-matomo3-6-1/30858
https://forum.matomo.org/t/view-and-superuser-config-issues-on-clean-install/29189
https://forum.matomo.org/t/error-you-cant-access-this-resource-as-it-requires-view-access-for-the-website-id-1/28173

Would be interesting to know what is causing this.

Yes, these posts seem to describe the same problem. My System Check also reports everything ok except for the warnig _Geolocation works, but you are not using one of the recommended providers._

There were couple PRs that improve session handling. Eg https://github.com/matomo-org/matomo/pull/13865 and https://github.com/matomo-org/matomo/pull/13869 I presume the next beta might fix the issues one those PRs are merged.

@fdellwing Seems like mod_security2 is active and i will not get the logs from the hoster. Is there a workaround, if mod_security2 is causing these problems?
@tsteur Do you know when the next beta will be released? I would like to test, if it resolves the problems.

I would say there will be one more beta before Christmas holidays.

@iherwig I doubt your hoster compiled mod_sec2 with the --enable-htaccess-config flag, so if he does not want to help you, you might be in bad luck. Matomo does no work well with mod_sec2, even if you get the backend to run, random (or all) tracking calls might get blocked by it.

refs: https://github.com/matomo-org/matomo/issues/3371

I was looking deeper into this.

The dashboard makes a POST request to [...]index.php?date=yesterday&filter_limit=-1&format=JSON2&idSite=1&method=API.getReportPagesMetadata&module=API&period=day which sends the token_auth parameter and returns an empty response and status code 302 (location [...]?date=yesterday&filter_limit=-1&format=JSON2&idSite=1&method=API.getReportPagesMetadata&module=API&period=day).

The following GET request to the returned location returns the error response {"result":"error","message":"You can't access this resource as it requires 'view' access for the website id = 1."} (i guess because the token_auth is missing).

All requests send the valid session id in the cookie header and on the server some requests also seem to be authorized.

In the server log i see:

[...]/core/Access.php(537): You can't access this resource as it requires 'view' access for the website id = 1.
[...]/core/Piwik.php(511): Piwik\Access->checkUserHasViewAccess(Array)
[...]/plugins/API/API.php(351): Piwik\Piwik::checkUserHasViewAccess('1')
[...]/core/API/Proxy.php(232): call_user_func_array(Array, Array)
[...]/core/Context.php(28): Piwik\API\Proxy->Piwik\API{closure}()
[...]/core/API/Proxy.php(323): Piwik\Context::executeWithQueryParameters(Array, Object(Closure))
[...]/core/API/Request.php(263): Piwik\API\Proxy->call('\Piwik\Plugins\...', 'getReportPagesM...', Array)
[...]/plugins/API/Controller.php(41): Piwik\API\Request->process()
[...]/core/FrontController.php(556): call_user_func_array(Array, Array)
[...]/core/FrontController.php(144): Piwik\FrontController->doDispatch('API', false, Array)
[...]/core/dispatch.php(34): Piwik\FrontController->dispatch()
[...]/index.php(27): require_once('[...]...')
{main}

There is another POST request before that to [...]?module=API&method=API.getWidgetMetadata&filter_limit=-1&format=JSON&deep=1&idSite=1, that returns status code 200 and data. I wonder why the second POST request returns a redirect instead of data.

Funny... we had maybe a similar issue here: https://github.com/matomo-org/matomo/issues/13883 and proposed a fix in https://github.com/matomo-org/matomo/pull/13892 but I couldn't actually reproduce the issue. Not sure if related. It also somehow reminds me of https://github.com/matomo-org/matomo/issues/13795 Can you always reproduce this issue? What are the exact steps and what kind of access does your user have? View, Write, Admin or Super user? Do you know?

Yes it happens reproducible every time after login when the dashboard is loaded. The user is super user.
Some other POST requests that return a 302 redirect with empty response:

• [...]/index.php?date=yesterday&format=JSON2&idSite=1&method=CorePluginsAdmin.getUserSettings&module=API&period=day (_Settings > Personal > Settings_ page, error message: You must be logged in to access this functionality.)
• [...]/index.php?date=yesterday&format=JSON2&idSite=1&method=CorePluginsAdmin.getSystemSettings&module=API&period=day (_Settings > Websites > Manage_ page, error message: You can't access this resource as it requires view access for at least one website.)

I will try to understand what is happening on the server side at the beginning of the new year.

Thanks it would be great if you could try to understand what is happening. I've been trying to reproduce this for a while but can't. Ideally, also make sure all plugins are up to date just in case.

Someone on the forum had a similar issue which got suddenly fixed with 3.8.1:
https://forum.matomo.org/t/update-3-8-0-probleme/31340/8

That was likely due du renaming the session cookie

I am also facing the same issue as mentionee above by @iherwig.
You can't access this resource as it requires 'view' access for the website id = 1.

Can someone help me fix the same, please?

Is it fixed with 3.8.1?

Sorry for the late answer.
I now had time to look at the problem again. After installing the new version (3.11.) it still persisted. So i guessed it must be related to the server configuration and as it turned out there was a problem in the .htaccess file that was set up for another application but also affected the matomo installation.
Thanks for your help again.
Feel free to close the ticket.

Thanks for letting us know 👍