Restrict masquerade privileges for roles

Seems like a reasonable request. I'd be glad to review patches for such a feature. In the mean time, in the latest -dev version you can set up user-to-user relationships which may work for such a case.

subscribe

I guess this could be created with dynamic permissions for "Masquerade as [role-name]"

This is an easy fix, but after playing with it I think maybe it should work in reverse. The reason is that permissions are accumulative.
So it is common to give high access users lower access roles.
example:
accesslvl1 = view content
accesslvl2 = edit content

user bob roles = 'accesslvl1'
user tom roles = 'accesslvl1, accesslvl2'

In this scenario granting access to role accesslvl1 would allow someone to masquerade as bob or tom since they both have that access level.
I think this probably needs to work in reverse as a way to limit masquerade permissions by role
Then you could grant the ability to masquerade as a user (built in permision) and restrict the ability to masquerade as accesslvl2
Hope that makes sense!

I decided to do this as a role restriction for the reasons above.

I'm not sure i followed this. I think you would generally want to masquerade to a lesser privileged role, simply for testing an access restriction, but wouldn't want to give the ability to masquerade to a higher privileged role, as that defeats the purpose of the role assignment.

I wrote the above patch against a previous version and it worked fine. I upgraded and upgraded the patch and it isn't working.
The latest version has the ability to set which roles are considered admin which is all I really needed.

correct, but roles are accumulative. So a user with a higher role will generally have the lower roles as well.
It depends on how you grant your permissions.

Here is a better patch.
If you want to allow masquerading by role instead of restricting by role just change the following
Line 34 (after applying the patch)

$perm[] = "masquerade as users in role $role";

Line 197 (after applying the patch)

        //@patch regx mod
        if($switch_to_account == FALSE){
          // check if user has masquerade role access
          foreach($account->roles as $rid => $role){
            if(user_access("masquerade as users in role $role")){
              $switch_to_account = TRUE
              break;
            }
          }
        }
        //end regx mod

This has interesting potential. I am designing a website for a primary school. Pupils Tom Smith, Dick Smith and Harriet Smith can log on and see what homework is outstanding in each of their cases. Their dad Mr Smith would like to log on and see the homework that is outstanding for ALL of them (so ideally logging on as 3 users at once!) but maybe this revision would be even better. Mr Smith logs on and uses masquerade to be Tom Smith, but if he tried to be Basil Jones it would not work as Basil is not in the 'Smith Family" role. That said setting up roles for each family is rather longwinded at a larger school.

You could stop siblings looking at each others work by only having masquerade available to Teacher and Parent roles. I mention all this as it could have uses wider than just education.

Taking this in a somewhat different direction ...

Would it be possible to auto-populate the lists of users one can masquerade as, based on roles? For example, to have all users who have role C be automagically added to the list of users that anyone who has role B can masquerade as? I think this is along the lines of what the original poster asked in the "Alternatively ..." paragraph, regarding roles A, B, and C.

Or to add a checkbox in the Masquerade settings on the user create/edit form, to give that specific user masquerade ability for every user in role C?

I'm looking at Masquerade as a possible workaround to achieve a middle ground between "edit own" and "edit all" field-level permissions. Initial testing indicates it'll give me the results I want, but having to assign each and every masqueradee to each and every masquerader in user admin could become a big pain.

The patch in #8, and the after-patch, didn't do the trick for me; selecting users to masquerade as still appeared to be required. BTW, it looks like there's a semicolon missing at the end of the 6th line of the after-patch. Should be:

$switch_to_account = TRUE;

subscribe

Could someone clarify this issue for me...

My understanding, from reading this issue, is that Masquerade does not allow for stopping a user (that has been given permission to 'masquerade') from masquerading as a particular other user?

For eg. if I have the following users:
Superadmin
Retailer
Customer

And if for my purposes I wanted to give Retailer the ability to masquerade as Customer, am I not able to restrict/stop that Retailer from masquerading as Superadmin?

~There is a method to my madness: I am using this module in an invoicing/accounting workflow in order to create customer profiles/information which can be reused later in different ways, however i need to restrict the Retailer from taking on Superadmin privileges and basically mucking up the setup. If there is a different workaround (eg. module) for this, do let me know!~

Thanks in advance :)

PS. I am using Masquerade 6.x.1.6, but I didn't want to duplicate the issue, if I understood this one correctly...

Apols for wasting drupal.org bandwidth - just figured it out, i think. I had permissions set to masquerade as user + admin, vs. just user...

See #1171500: Add "masquerade as @role" permissions/settings for each role
Would need to be backported.
Since this thread hasn't been updated in over a year, i'm going to close it.