diff --git a/README.txt b/README.txt index 01ed614..d2b6550 100644 --- a/README.txt +++ b/README.txt @@ -25,6 +25,26 @@ None. * Grant the "Masquerade as another user" permission to the desired roles. +-- SECURITY -- + +* Masquerade's built-in access control mechanism has been designed to be simple, + smart, and secure by default: + + - Users without the masquerade permission are not allowed to masquerade. + - Uid 1 may masquerade as anyone. No one can masquerade as uid 1. + - If you have the identical permissions as the target user (or additional + permissions), you are allowed to masquerade. + - Otherwise, access to masquerade as the target user is denied. + + This means that Masquerade's built-in access control does not allow any kind + of privilege escalation. It is safe to grant the masquerade permission to + user roles. Users are never able to exceed their privileges by masquerading + as someone else. + +* More fine-grained access control (e.g., role-per-role, per-user, blacklist) + may be supplied by separate add-on modules for Masquerade. + + -- FEATURES AND INTEGRATION -- * The Masquerade module provides and aims for a deep integration with the diff --git a/masquerade.module b/masquerade.module index b103dea..1600b7a 100644 --- a/masquerade.module +++ b/masquerade.module @@ -23,7 +23,7 @@ account. It records the original user account, so users can easily switch back.' $output .= '