Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Session won't read if user is blocked.
Ends up logging out current user but with message saying now masquerading as.
Comment | File | Size | Author |
---|---|---|---|
#15 | masquerade-blocked_users-932814-15-7.x.patch | 2.52 KB | gngn |
| |||
#6 | 932814.6-masquerade_blocked_users_6.x.patch | 15.02 KB | deviantintegral |
#6 | 932814.6-masquerade_blocked_users_7.x.patch | 14.13 KB | deviantintegral |
#5 | 932814.5-masqurade_blocked_users.patch | 10.34 KB | deviantintegral |
#4 | masquerade_blocked_users_1.patch | 5.33 KB | afreeman |
Comments
Comment #1
deekayen CreditAttribution: deekayen commentedHow come you didn't pair the watchdog with a dsm?
Comment #2
hefox CreditAttribution: hefox commentedCopy and paste from another error condition where there is no drupal set message.
Comment #3
hefox CreditAttribution: hefox commentedComment #4
afreeman CreditAttribution: afreeman commentedHefox's patch is a good start. I've rerolled it for the dev branch and added some code to remove menu items and quick links for blocked user accounts and to filter blocked users out of the options presented by the autocomplete fields in admin/settings/masquerade and the masquerade block. If this meets with everyone's approval I'll open an issue and roll a patch for D7.
Comment #5
deviantintegral CreditAttribution: deviantintegral commentedI've rerolled this patch against HEAD. I also fixed a few minor issues. The attached patch contains:
a266968 Issue #932814: Prevent switching to blocked user accounts.
d945e9a Issue #932814: Fix minor code style issues.
609f06b Issue #932814: Don't deny access to a page when unable to switch accounts.
4aa3823 Issue #932814: Fix typo in dsm() when removing a blocked account from the list of quick switches.
I'll be working on a 7.x version in a moment.
Comment #6
deviantintegral CreditAttribution: deviantintegral commentedHere's a 7.x version of the patch. I also fixed an issue with the user admin form not properly handling removing blocked users in both versions.
Comment #7
andypostis this still an issue?
Comment #8
clemens.tolboomThis is still a bug (for 7.x-rc4)
The patch from #6 looks OK but I guess is probably not applicable anymore.
Whitespace
Comment #9
andypostSuppose we should not loose data on status change.
This check should be done as #2 and additionally clean-up Quick switches on render.
In case of form we just need to throw error message
Comment #10
wjaspers CreditAttribution: wjaspers commentedJust throwing in an additional idea in here.
What if a situation occurs where someone wants to masquerade as a "blocked" user; but wants to restrict this functionality to a handful of trusted accounts?
Would an additional permission make sense? Is this a realistic scenario?
Those that don't have the permissions applied would see the error page; those that do, would be able to masquerade as the blocked account.
Comment #11
Taxoman CreditAttribution: Taxoman commented#10: if a user account is blocked, it cannot be logged into, hence what is there to check? There is no scenario as there is no way to get into that user account during blocked state, and Masquerade would only receive the default error message you get if a login fails...
Comment #12
hefox CreditAttribution: hefox commentedSince session handling can be overridden (memcache for example), it's possible to override the inability to login to blocked users.. but wow, that'd be bad. Don't think masquerade should support that extremely specific use case.
Comment #13
ResidentR6 CreditAttribution: ResidentR6 commentedSo after 4 years a bug is still here. There's a simple solution: DO NOT allow to found blocked user. Just hardcode a filter over request.
What's wrong with this "minor" bug: when you step on it, you will be thrown out of AMDIN session, not the user you tried to masquerade.
Comment #14
noopal CreditAttribution: noopal commentedHi, its still here another 3 years later :p.
Sometimes I pick a random user to see how a page looks to non-admins, and just get logged out.
Comment #15
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedNew patch applying to current 7.x-1.x-dev and 7.x-1.0-rc7
Includes:
masquerade_autocomplete()
andmasquerade_autocomplete_multiple()
, so you do not get any blocked users via autocomplete.masquerade_block_1_validate()
, so you will get a form validation error if you entered a blocked user.masquerade_switch_user().
I do not think that we need to log to watchdog (above patches did).
I have one question: the other patches checked user's status like:
What's the purpose of
!empty($new_user->uid) &&
?My patch just checks
empty($new_user->status)
.