Allow Live API module regardless of Visit Log deactivation

[9joshua]

This issue incorporated the Live API module, making it unavailable if the Visit Log is deactivated: https://github.com/matomo-org/matomo/issues/16259

Some users still need access to the Live API even if they don't want the visit Log in their UI.

Suggest adding an additional option to deactivate the Live API module for more flexibility...

[tsteur]

Note that for privacy compliance reasons this is a feature we cannot develop unless it's behind a config ini setting. For GDPR compliance the API needs to be blocked too when this feature is disabled.

[9joshua]

I think having the option secured within a config setting would be acceptable for most users who need this - especially if the setting is available to Cloud users as well.

[michalkleiner]

Apologies @9joshua, I've looked at the linked issue but I'm not 100% sure I understand what is the enhancement. Can you maybe describe it in detail/in other words what config option we'd need to add and what it controls, and whether there's still a further UI setting that enables/disables something? And what that something is? Appreciate that!

[sgiehl]

@michalkleiner We have the possibility to disable visits log and visits profile in the UI. When the visits log is disabled, this will automatically also disallow any calls to Live.getLastVisitsDetails. The issue here is around allowing access to that API method, while still disabling the visits log in the UI.

@9joshua This might be something we could implement, but keep in mind, that enabling the API again, would allow any user to access it.

[9joshua]

Hi @michalkleiner - If the Visitor Log is disabled via the general or website settings, access to the Live API module is also blocked. There are instances where a user may still want to use the Live API for real-time reporting even though they have disabled the Visitor Log.

Not all data in the Live API module would necessarily result in a breach of privacy policy or regulation - for example the Live.getCounters returns no personally identifiable information and other Live methods can be used with the showColumns parameter to prevent requests containing PII.

Suggest adding a config ini setting which can override the disabling of the Live API module when the Visitor Log is disabled.

[sgiehl]

Live.getCounters is still available with disabled visits log. Only Live.getLastVisitsDetails is disabled. And opening up that method means that anyone, having view access, can request any data. Even if providing certain values of showColumns wouldn't result in returning PII, that won't prevent anyone from requesting PII. And that is where the problem is. In terms of privacy you can't guarantee that anyone might have requested relevant data.

[michalkleiner]

Thanks for the extra details and explanation @sgiehl and @9joshua!

[randy-innocraft]

Hi @9joshua. Thank you for creating the issue and bringing this to our attention, that's very appreciated. We have reviewed and triaged this ticket internally. Our team will prioritise this, and we will update you on the progress here when we have an update to share. If you have any further information or questions, please feel free to add them here.

[9joshua]

Another Cloud customer cannot access the Live API after following our CNIL compliance guide which includes disabling visitor profiles & the visits log. They have asked if there could be an option to separately allow Live API calls in this scenario, perhaps with a delay to keep real-time data inaccessible. Not sure how this would work with privacy regulations.

Their position is that yesterday's data is not "Live" data and should not be restricted.