The masquerade block appears even if you don't have access to switch users:

- enable masquerade and the masquerade block. optionally add some quick switch users too
- log out and see how the (empty) block appears even though the anonymous user does not have access to any masquerade permission.

The quick links lead to an access denied, so this is not a security issue, but the block should not be displayed.

CommentFileSizeAuthor
#1 1116034_1_hide_block.patch656 bytesscor
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

scor’s picture

scor CreditAttribution: scor commented
Status: Active » Needs review
FileSize
1116034_1_hide_block.patch656 bytes

patch.

PS: probably a good idea to switch from 'master' to a '7.x-1.x' branch in git.

osopolar’s picture

osopolar
Primary language German
Location 🇩🇪 GER 🌐
CreditAttribution: osopolar commented

Patch works as expected.

ZoeN’s picture

ZoeN CreditAttribution: ZoeN commented

Issue still exists, and submitted patch works, in rc3, too.

osopolar’s picture

osopolar
Primary language German
Location 🇩🇪 GER 🌐
CreditAttribution: osopolar commented
Status: Needs review » Reviewed & tested by the community

I use the patch and rc3 on another website and it works well.

Kars-T’s picture

Kars-T CreditAttribution: Kars-T commented

+1 for the patch.

It is an easy if() block and prevents that the block is shown to any user that is not currently masquerading or doesn't have appropriate access rights.

Kars-T’s picture

Kars-T CreditAttribution: Kars-T commented
Version: 7.x-1.x-dev » 7.x-1.0-rc3

Setting the issue to RC3

deekayen’s picture

deekayen CreditAttribution: deekayen commented

I'm alright with committing this after #1185018: Rename master branch to 8.x-1.x is resolved so we know where it should go and not get lost in the conversion.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost commented
Status: Reviewed & tested by the community » Needs work 
+++ b/masquerade.module
@@ -506,8 +506,10 @@ function masquerade_block_view($delta = '') {
+      if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {

isset() could lead to session creation, see #705858: Don't create session var when not masqerading

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost commented
Version: 7.x-1.0-rc3 » 7.x-1.x-dev

Release blocker

ohcray’s picture

ohcray CreditAttribution: ohcray commented

Subscribe! So glad you guys are working on this. This is critical to the customer service functionality on our (about to launch) site.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost commented
Status: Needs work » Fixed

Thanx, fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 4658242 on 7.x-1.x, 8.x-2.x, 8.x-2.x-admin-menu, 8.x-1.x-1836516 by andypost: 
    Issue #1116034 by scor: The masquerade block is displayed regardless of...

  • Commit 4658242 on 7.x-1.x, 8.x-2.x, 8.x-2.x-admin-menu, 8.x-1.x-1836516 by andypost: 
    Issue #1116034 by scor: The masquerade block is displayed regardless of...