Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
It seems that the module code doesn't show the masquerade block in case where the user don't have "masquerade as user" permission but have defined "masquerade as" list of users in profile. The following IF statement in module's code doesn't refer to above mentioned case
if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
$block['subject'] = t('Masquerade');
$block['content'] = drupal_get_form('masquerade_block_1');
}
Comment | File | Size | Author |
---|---|---|---|
#4 | 1666706-masq-access-4.patch | 666 bytes | phiscock |
#1 | 1666706-masq-access-1.patch | 677 bytes | andypost |
Comments
Comment #1
andypostSure, we should not show this settings on user profile while he has no access
Comment #2
rosell.dk CreditAttribution: rosell.dk commentedIt seems the answer and the supplied patch are due to two misunderstandings?
As the module works now (7.x-1.0-rc4), a user A can masquerade as another user B, EVEN if user A does not have the "masquerade as user" permission. If user A has user B listed as users he is allowed to masquerade as, then user A is able to masquerade as user B, regardless. I'm not sure if this is intended behaviour, but this is how it works
One would expect that the block displays when a user is able to masquerade as another user. As it is now, it will however not display in the scenario above. To correct this will require a change in the code that was quoted in the issue summary.
The supplied patch however doesn't deal with the block view, but with the user form. This is what seems to be the one misunderstanding. The other misunderstanding is that the access to this form needs to be changed. I think it makes perfectly sense that this form requires the "administer masquerade" permission. - it is a place where masquerade rights are administrated individually on users.
Comment #3
Igal CreditAttribution: Igal commented@rosell.dk,
your description of the problem is correct. I just changed
with
Comment #4
phiscock CreditAttribution: phiscock commentedThank you @rosell.dk. This worked well for me in displaying the block with just a limited list of users that a person is allowed to masquerade as. I've made a patch against the latest dev version that implements your solution in the hope that this change might be committed.
Paul