When two or more users (for example with UID 1, 2 and 3) start masquerading as the same user (with UID 10) and user 1 stops masquerading the remaining users 2 and 3 are kicked out from masquerading too but keep logged in as user 10. That's because their corresponding records in the masquerade table are deleted as well in masquerade_switch_back(). There are two SQL conditions, sid (Session IDs of user 1, 2 and 3) and uid_as (UID of user 10 in the example above). This two conditions are ORed together so any condition can match. In the example: either the sid of user 1 or the uid of user 10 matches so it deletes all records for users which currently masquerading as user 10. In the result the remaining users are still logged in as user 10 but are not able to switch back from masquerading.

To fix this the conditions must be ANDed so only the record for the user switching back (identified by sid) from user 10 will be removed.

PS: To native english speakers: I tried to find a descriptive issue title - feel free to make it more understandable :)

CommentFileSizeAuthor
#6 1858862-masquerade-6.patch537 bytesandypost
#1 masquerade-1858862-1.patch754 bytesfuerst
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

fuerst’s picture

fuerst CreditAttribution: fuerst commented
Title: Keep logged in as masqueraded user after switching back when multiple users are masquerading the same user » Other users get logged in as masqueraded user after switching back when multiple users are masquerading the same user
FileSize
masquerade-1858862-1.patch754 bytes

The attached patch fixes this.

fuerst’s picture

fuerst CreditAttribution: fuerst commented
Status: Active » Needs review
deekayen’s picture

deekayen CreditAttribution: deekayen commented
Assigned: Unassigned » tlattimore

Sending to tlattimore.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Status: Needs review » Fixed

Committed.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Version: 7.x-1.x-dev » 8.x-1.x-dev
Status: Fixed » Patch (to be ported)

Probably needs to be put on 8.x too.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost commented
Version: 8.x-1.x-dev » 7.x-1.x-dev
Status: Patch (to be ported) » Reviewed & tested by the community
FileSize
1858862-masquerade-6.patch537 bytes

Commited to 8.x a different patch. (attached)

Suppose we need a sane comment about.

latter in this function session_id() is changing so we need to clean-up all staff related in out table for old session ID.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost commented
Issue summary: View changes

Removed senseless "stop" from "..but are not able to stop switch back from masquerading."

  • Commit cc333d9 on 8.x-2.x, 8.x-2.x-admin-menu, 8.x-1.x-1836516 by andypost: 
    Issue #1858862 by andypost, fuerst: Be more careful which which...

  • Commit cc333d9 on 8.x-2.x, 8.x-2.x-admin-menu, 8.x-1.x-1836516 by andypost: 
    Issue #1858862 by andypost, fuerst: Be more careful which which...