Add new INI config [General] enable_framed_allow_write_admin_token_auth… (#16595)

* Add new INI config [General] enable_framed_allow_write_admin_token_auth to allow framed matomo use case to still function in Matomo 4.

* Link to faq in exception message.

* apply pr feedback and write integration tests (not passing)

* fix test

* fix test

* update screenshot

* fix more ui tests

* update exception message

* update some expected screenshots

* update screenshot

Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/config/global.ini.php b/config/global.ini.php
index 568c5910a5..58dc9bb380 100755
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -455,6 +455,13 @@ enable_framed_pages = 0
 ; Default is 0 (i.e., bust frames on the Settings forms).
 enable_framed_settings = 0
 
+; Set to 1 to allow using token_auths with write or admin access in iframes that embed Matomo.
+; Note that the token used will be in the URL in the iframe, and thus will be stored in webserver
+; logs and possibly other places. Using write or admin token_auths can be seen as a security risk,
+; though it can be necessary in some use cases. We do not recommend enabling this setting, for more
+; information view the FAQ: https://matomo.org/faq/troubleshooting/faq_147/
+enable_framed_allow_write_admin_token_auth = 0
+
 ; language cookie name for session
 language_cookie_name = matomo_lang