Posted by Igal on June 30, 2012 at 9:10pm
4 followers
| Project: | Masquerade |
| Version: | 7.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
Issue Summary
It seems that the module code doesn't show the masquerade block in case where the user don't have "masquerade as user" permission but have defined "masquerade as" list of users in profile. The following IF statement in module's code doesn't refer to above mentioned case
<?php
if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
$block['subject'] = t('Masquerade');
$block['content'] = drupal_get_form('masquerade_block_1');
}
?>
Comments
#1
Sure, we should not show this settings on user profile while he has no access
#2
It seems the answer and the supplied patch are due to two misunderstandings?
As the module works now (7.x-1.0-rc4), a user A can masquerade as another user B, EVEN if user A does not have the "masquerade as user" permission. If user A has user B listed as users he is allowed to masquerade as, then user A is able to masquerade as user B, regardless. I'm not sure if this is intended behaviour, but this is how it works
One would expect that the block displays when a user is able to masquerade as another user. As it is now, it will however not display in the scenario above. To correct this will require a change in the code that was quoted in the issue summary.
The supplied patch however doesn't deal with the block view, but with the user form. This is what seems to be the one misunderstanding. The other misunderstanding is that the access to this form needs to be changed. I think it makes perfectly sense that this form requires the "administer masquerade" permission. - it is a place where masquerade rights are administrated individually on users.
#3
@rosell.dk,
your description of the problem is correct. I just changed
<?phpif (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
$block['subject'] = t('Masquerade');
$block['content'] = drupal_get_form('masquerade_block_1');
}
?>
with
<?phpif (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin')) || masquerade_menu_access('user')) {
$block['subject'] = t('Masquerade');
$block['content'] = drupal_get_form('masquerade_block_1');
}
?>
#4
Thank you @rosell.dk. This worked well for me in displaying the block with just a limited list of users that a person is allowed to masquerade as. I've made a patch against the latest dev version that implements your solution in the hope that this change might be committed.
Paul