$user->masquerade not set properly
| Project: | Masquerade |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | won't fix |
Jump to:
I see in the code that there is an attempt to use $user->masquerading. The problem I see is that in the cases where this is USED it is used in the current user:
<?php
if ($edit_user->masquerading) {
?><?php
$real_user = user_load(array('uid' => $user->masquerading));
?><?php
if (user_access($perm) && !$edit_user->masquerading && $user->uid != $edit_user->uid) {
?><?php
if ($user->uid == $uid || $user->masquerading) {
?>However, in the place where it is SET it is set on the user who is masquerading:
<?php
$user->masquerading = $new_user->uid;
$user = $new_user;
?>Shouldn't this be:
<?php
$new_user->masquerading = $user->uid;
$user = $new_user;
?>Or alternately just use $GLOBALS['masquerading'] instead. Either way it seems to me that the code as is has the following issues:
- on logout the menu cache is not cleared (probably not necessary anyway ... see my other issue)
- on logout the end of the masquerade is not logged
- on logout the entry in the masquerade table is not deleted
- when masquerading as a user who can masquerade as well and viewing a page other than the masquerading user it looks as though the 'Masquerade as ' link should not appear, but does
- when masquerading as a user who can masquerade as well it looks as though an attempt to switch users should return 'Access denied' and will not
On this last bit a small comment. I think that if I am masquerading as user X, and user X has the capability to masquerade as user Y that a 'Masquerade as ' link should appear when viewing user Y's user page since that is how user X would see it. I also think that in this case if I can also masquerade as user Y then clicking the link should switch my masquerading to user Y. If I cannot masquerade as user Y then clicking the link should result in 'Access denied'. It also follows that 'masquerade/switch' should not appear if the user I am masquerading as shouldn't be able to see it, but that it and 'masquerade/autocomplete' should be usable by me based on my real ability.
#1
I'm marking this as "won't fix" unless someone can replicate this issue on the current version. If you're still having problems, please re-open or file a new issue.
Clicking the links provided in the Masquerade block in the Drupal 6 version addresses the feature suggestion you've made. So if you're interested, download the latest -dev and check it out.