It seems that the module code doesn't show the masquerade block in case where the user don't have "masquerade as user" permission but have defined "masquerade as" list of users in profile. The following IF statement in module's code doesn't refer to above mentioned case

      if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
        $block['subject'] = t('Masquerade');
        $block['content'] = drupal_get_form('masquerade_block_1');
      }
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

andypost’s picture

Version: 7.x-1.0-rc4 » 7.x-1.x-dev
Status: Active » Needs review
FileSize
677 bytes

Sure, we should not show this settings on user profile while he has no access

rosell.dk’s picture

It seems the answer and the supplied patch are due to two misunderstandings?

As the module works now (7.x-1.0-rc4), a user A can masquerade as another user B, EVEN if user A does not have the "masquerade as user" permission. If user A has user B listed as users he is allowed to masquerade as, then user A is able to masquerade as user B, regardless. I'm not sure if this is intended behaviour, but this is how it works

One would expect that the block displays when a user is able to masquerade as another user. As it is now, it will however not display in the scenario above. To correct this will require a change in the code that was quoted in the issue summary.

The supplied patch however doesn't deal with the block view, but with the user form. This is what seems to be the one misunderstanding. The other misunderstanding is that the access to this form needs to be changed. I think it makes perfectly sense that this form requires the "administer masquerade" permission. - it is a place where masquerade rights are administrated individually on users.

Igal’s picture

@rosell.dk,
your description of the problem is correct. I just changed

if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
        $block['subject'] = t('Masquerade');
        $block['content'] = drupal_get_form('masquerade_block_1');
 }

with

if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin')) || masquerade_menu_access('user')) {
        $block['subject'] = t('Masquerade');
        $block['content'] = drupal_get_form('masquerade_block_1');
}
phiscock’s picture

FileSize
666 bytes

Thank you @rosell.dk. This worked well for me in displaying the block with just a limited list of users that a person is allowed to masquerade as. I've made a patch against the latest dev version that implements your solution in the hope that this change might be committed.

Paul