Download & Extend
Masquerade » Issues

$user->masquerade not set properly

Posted by zarko on September 11, 2007 at 8:04am
Project:Masquerade
Version:5.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (won't fix)

Issue Summary

I see in the code that there is an attempt to use $user->masquerading. The problem I see is that in the cases where this is USED it is used in the current user:

<?php
      if ($edit_user->masquerading) {
?>

<?php
        $real_user = user_load(array('uid' => $user->masquerading));
?>

<?php
      if (user_access($perm) && !$edit_user->masquerading && $user->uid != $edit_user->uid) {
?>

<?php
  if ($user->uid == $uid || $user->masquerading) {
?>

However, in the place where it is SET it is set on the user who is masquerading:

<?php
  $user->masquerading = $new_user->uid;
  $user = $new_user;
?>

Shouldn't this be:

<?php
  $new_user->masquerading = $user->uid;
  $user = $new_user;
?>

Or alternately just use $GLOBALS['masquerading'] instead. Either way it seems to me that the code as is has the following issues:

  • on logout the menu cache is not cleared (probably not necessary anyway ... see my other issue)
  • on logout the end of the masquerade is not logged
  • on logout the entry in the masquerade table is not deleted
  • when masquerading as a user who can masquerade as well and viewing a page other than the masquerading user it looks as though the 'Masquerade as ' link should not appear, but does
  • when masquerading as a user who can masquerade as well it looks as though an attempt to switch users should return 'Access denied' and will not

On this last bit a small comment. I think that if I am masquerading as user X, and user X has the capability to masquerade as user Y that a 'Masquerade as ' link should appear when viewing user Y's user page since that is how user X would see it. I also think that in this case if I can also masquerade as user Y then clicking the link should switch my masquerading to user Y. If I cannot masquerade as user Y then clicking the link should result in 'Access denied'. It also follows that 'masquerade/switch' should not appear if the user I am masquerading as shouldn't be able to see it, but that it and 'masquerade/autocomplete' should be usable by me based on my real ability.

Login or register to post comments

Comments

#1

Posted by deviantintegral on August 27, 2009 at 7:59pm
Status:active» closed (won't fix)

I'm marking this as "won't fix" unless someone can replicate this issue on the current version. If you're still having problems, please re-open or file a new issue.

Clicking the links provided in the Masquerade block in the Drupal 6 version addresses the feature suggestion you've made. So if you're interested, download the latest -dev and check it out.