Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
I would like to use user real names (from realname module) instead of user name in masquerade switch block. Is there any kind of integration between both modules yet?
Thank's
Comment | File | Size | Author |
---|---|---|---|
#35 | masquerade-realname_integration-1295818-35.patch | 2.46 KB | PascalAnimateur |
#32 | masquerade_use_realname-1295818-32.patch | 1.73 KB | deggertsen |
Comments
Comment #1
tobiberlinI would appreciate such a possibility as well
Comment #2
cYu CreditAttribution: cYu commentedAttached is a patch which will theme user name before output in the various autocompletes provided by masquerade module.
Comment #3
cYu CreditAttribution: cYu commentedActually, this themes the username as a clickable link...which is undesirable. With realname overriding theme_username you'd be able to do
but without making realname a dependency you'd need to striptags or check_plain or something of that sort to get rid of the name being a link to the user profile page.
Comment #4
deekayen CreditAttribution: deekayen commentedhow about wrapping theme() in the same check_plain that you replaced?
Comment #5
cYu CreditAttribution: cYu commentedcheck_plain would encode the markup but still look bad in the autocomplete field. filter_xss looks like what I want (with an empty array for allowed tags) for stripping out the markup. Was hoping there was a nicer way in D6, but it looks like that is the standard protocol. If this goes in I'll also roll a D7 patch which should be cleaner. http://drupal.org/update/modules/6/7#format_username
Comment #6
deekayen CreditAttribution: deekayen commentedwhat about just straight strip_tags()?
Comment #7
cYu CreditAttribution: cYu commentedYeah, that will be more efficient and give the same output. Attached patch with strip_tags.
Comment #8
j4 CreditAttribution: j4 commentedHi,
Can you provide a similar patch for version 7 also?
Thanks
Jaya
Comment #9
deekayen CreditAttribution: deekayen commented#8 is a good point. It'd be good not to commit to only 6.x and leave it out of 7.
Comment #10
andypost@deekayen suppose we could not commit 6.x and change this for 7.x for format_username() because this require to change a logic for
_masquerade_user_load($username)
but I have no idea how to implement a search having a some piece of renderComment #11
liquidcms CreditAttribution: liquidcms commentedno progress on this? i'll take a look at it tonight.
and bumping to D7
Comment #12
liquidcms CreditAttribution: liquidcms commentedhmm.. i'm at a loss; do either the d6 or d7 patches here work at all?
i see the query in the patch is changed simply to this:
so still searching in user table on username for the string that gets entered. that will never work. possibly what this patch is doing is simply returning the realname to show in the field prior to the user hitting GO; but it isn't searching on realname.. which i think is kind of the real issue here isn't it?
Comment #13
liquidcms CreditAttribution: liquidcms commenteddoesnt seem that elegant but not sure there is a much better way.
so this patch checks if realname module exist and if it does; it does the "right" thing; which is search on realname and display realname in the autocomplete results.
i actually display the result as [realname] ([username]) since realname is not unique and this would possibly allow someone to pick the correct result; plus it makes it easier at the end to set to the correct user.
Comment #14
liquidcms CreditAttribution: liquidcms commentedpatch is not in GiT format so auto test will fail; sorry, GiT sucks
Comment #15
liquidcms CreditAttribution: liquidcms commentedi also fixed search method in both the realname method and pre-existing username method of doing search. for some reason the original code uses "starts with" rather than "contains"; which seems silly.
Comment #16
andypostNot sure that escaped realname could be found this way
trailing whitespaces
format_username()
unescaped?
Comment #17
liquidcms CreditAttribution: liquidcms commentedsorry, not sure what your comment is referring to.
yes, my code does work; i am using it on a site.
perhaps you are saying i need a check_plain() as some sort of security measure? but i don't see how that is necessary.
Comment #18
deggertsen CreditAttribution: deggertsen commentedThanks for the patch. It works perfectly. I've rerolled the patch using git and removed the whitespace errors.
Comment #19
deekayen CreditAttribution: deekayen commentedI'm confused. The reason I use realname at work is for security. It helps keep the login username masked so it's harder to know how to login as another user since Realname isn't valid for logins. If you expose $user->name in the autocomplete, aren't you circumventing that?
Comment #20
liquidcms CreditAttribution: liquidcms commentedit's the autocomplete for the realname switch form. why would your untrusted users have access to switching users? would seem if they had that; they would already be bypassing logging in.
Comment #21
deggertsen CreditAttribution: deggertsen commented@deekayen. Are you using masquerade for something other than admin development? If so then what you say sort of makes sense, but usually you would not want people to be able to masquerade as someone else using their account unless they are an administrator anyways right? I think in most cases, this patch serves in a way people would want it to work.
Comment #22
deekayen CreditAttribution: deekayen commentedWe have non-admin users (customer service reps) who masquerade as a user for helping users place orders by phone or for doing level one helpdesk.
Comment #23
liquidcms CreditAttribution: liquidcms commented@deekayen
1. if you can become that person; surely you can edit their profile and see their username, correct? or is the issue that your reps are limited to who can masquerade as; but with this patch you can see everyone's username? (is that a setting/perms with this module - to limit who you can masquerade as?)
2. knowing someone's username is a long ways from knowing their password and being able to log in.
Comment #24
andypostSO let's re-title and solve the issue forever.
@liquidcms The real names could not be unique so you add a
$user->name
here but introduces security issue.I'd suggest to output [uid] as all autocompletes does for nodes, it's a common practice.
BTW it introduces nice API change which I'd like to support - always use [uid] for autocomplete so it would allow us to use
format_username()
for autocomplete or maybetheme(username)
and finally solve the issue with all modules that alters user name.PS: Most of sites I'm working on use email_registration module so names of users are auto-generated and not readable
the scariest thing here the we output names unescaped
Comment #25
deekayen CreditAttribution: deekayen commentediirc, theme_username returns the realname, so why not just skip the query change, and do
check_plain(theme_username(array('account' => $user)))
?Comment #26
andypost@deekayen yes, you get it right - once we will use [uid] from autocomplete then we can prepend it with any output that produced by format_username() that need sanitization with
check_plain()
Comment #32
deggertsen CreditAttribution: deggertsen commentedUpdated patch to apply against most recent dev. I would like to implement what is being discussed in #24-26, but I don't totally follow. It would be great if one of you could update this patch with those changes.
Thanks
Comment #33
deggertsen CreditAttribution: deggertsen commentedHiding patch from #2
Comment #34
scottsawyerI am testing the patch in #32 ( masquerade_use_realname-1295818-32.patch ) and it is pulling the Real Name in the autocomplete, it is passing masquerade_block_1_validate, but it never seems to hit masquerade_block_1_submit.
Using 7.x-1.0-rc7.
I have put some debug code into _validate to make sure it was setting $form_state['values']['masquerade_user_field'] to the actual user name and it does. But it won't submit. The page reloads and it doesn't start the masquerade session.
The links work. And I put debug code in the top of masquerade_block_1_submit and it doesn't even react.
I have an older clone on 7.x-1.0-rc5 with masquerade_use_realname-1295818-18.patch and it is working perfectly.
Any thoughts?
Comment #35
PascalAnimateur CreditAttribution: PascalAnimateur commentedHere's a simple patch to integrate realname superficially (autocomplete works, changed a couple of messages to use format_username(), but not all of them).
Comment #36
izmeez CreditAttribution: izmeez commentedThe patch in #35 passes test, is it suitable to add to #3010095: Masquerade 7.x-1.0 stable release plan
Comment #37
izmeez CreditAttribution: izmeez commentedThe patch in #35 applies to 7.x-1.x-dev but has difficulty applying when in conjunction with the patches in #1171500: Add "masquerade as @role" permissions/settings for each role and #2201055: Do not show inactive / blocked users in autocomplete and block.
A re-roll somewhere along the way may be needed.
The patch still needs to be RTBC.