add token_auth to overlay requests where necessary (#17851)

* add token_auth to overlay requests where necessary #17640

* ensure all links on overlay page work as expected both, with token_auth and when logged in #17640

* DRY force_api_session=1 and token_auth parameters in broadcast.js and correct in other code for convenience #17640

* polish logic for overlay with token_auth and change minimal logic in client side while validating token_auth in View::shouldPropagateTokenAuthInAjaxRequests() #17640

* use 'string' as string parameter #17640

* simplify token_auth check #17640

* revert git submodule to 4.x-dev version #17640

* return $tokenAuth string (truthy) only, simplify condition, ensure & is prepended to token_auth url param #17640

* revert submodule change

* Update core/View.php

Co-authored-by: Stefan Giehl <stefan@matomo.org>

Co-authored-by: sgiehl <stefan@matomo.org>

4 files changed, 13 insertions, 3 deletions

diff --git a/plugins/Overlay/javascripts/Overlay_Helper.js b/plugins/Overlay/javascripts/Overlay_Helper.js
index 6e843df816..d095768908 100644
--- a/plugins/Overlay/javascripts/Overlay_Helper.js
+++ b/plugins/Overlay/javascripts/Overlay_Helper.js
@@ -29,7 +29,10 @@ var Overlay_Helper = {
 
         var token_auth = piwik.broadcast.getValueFromUrl("token_auth");
         if (token_auth.length && piwik.shouldPropagateTokenAuth) {
-            url += '&force_api_session=1&token_auth='  + encodeURIComponent(token_auth);
+            if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
+                url += '&force_api_session=1';
+            }
+            url += '&token_auth='  + encodeURIComponent(token_auth);
         }
 
         if (link) {
diff --git a/plugins/Overlay/javascripts/Piwik_Overlay.js b/plugins/Overlay/javascripts/Piwik_Overlay.js
index 49e5c95401..f33382fceb 100644
--- a/plugins/Overlay/javascripts/Piwik_Overlay.js
+++ b/plugins/Overlay/javascripts/Piwik_Overlay.js
@@ -50,6 +50,7 @@ var Piwik_Overlay = (function () {
         globalAjaxQueue.abort();
         var ajaxRequest = new ajaxHelper();
         ajaxRequest.addParams(params, 'get');
+        ajaxRequest.withTokenInUrl(); // needed because it is calling a controller and not the API
         ajaxRequest.setCallback(
             function (response) {
                 hideLoading();
diff --git a/plugins/Overlay/templates/index.twig b/plugins/Overlay/templates/index.twig
index e4a4c77441..a618224ce5 100644
--- a/plugins/Overlay/templates/index.twig
+++ b/plugins/Overlay/templates/index.twig
@@ -73,7 +73,10 @@
 
             var iframeSrc = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ rawDate }}&segment={{ segment }}';
             if (piwik.shouldPropagateTokenAuth) {
-                iframeSrc += '&force_api_session=1&token_auth=' + piwik.token_auth;
+                if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
+                    iframeSrc += '&force_api_session=1';
+                }
+                iframeSrc += '&token_auth=' + piwik.token_auth;
             }
 
             Piwik_Overlay.init(iframeSrc, '{{ idSite }}', '{{ period }}', '{{ rawDate }}', '{{ segment }}');
diff --git a/plugins/Overlay/templates/index_noframe.twig b/plugins/Overlay/templates/index_noframe.twig
index c3f32be6b6..2c8f63dc75 100644
--- a/plugins/Overlay/templates/index_noframe.twig
+++ b/plugins/Overlay/templates/index_noframe.twig
@@ -8,7 +8,10 @@
     <script type="text/javascript">
         var newLocation = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ date }}&segment={{ segment }}';
         if (piwik.shouldPropagateTokenAuth) {
-            newLocation += '&force_api_session=1&token_auth=' + piwik.token_auth;
+            if (!piwik.broadcast.isWidgetizeRequestWithoutSession()) {
+                newLocation += '&force_api_session=1';
+            }
+            newLocation += '&token_auth=' + piwik.token_auth;
         }
 
         var locationParts = window.location.href.split('#');