It seems that the module code doesn't show the masquerade block in case where the user don't have "masquerade as user" permission but have defined "masquerade as" list of users in profile. The following IF statement in module's code doesn't refer to above mentioned case

<?php
     
if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
       
$block['subject'] = t('Masquerade');
       
$block['content'] = drupal_get_form('masquerade_block_1');
      }
?>
Files: 
CommentFileSizeAuthor
#4 1666706-masq-access-4.patch666 bytesphiscock
PASSED: [[SimpleTest]]: [MySQL] 38 pass(es).
[ View ]
#1 1666706-masq-access-1.patch677 bytesandypost
PASSED: [[SimpleTest]]: [MySQL] 38 pass(es).
[ View ]

Comments

Version:7.x-1.0-rc4» 7.x-1.x-dev
Status:Active» Needs review
StatusFileSize
new677 bytes
PASSED: [[SimpleTest]]: [MySQL] 38 pass(es).
[ View ]

Sure, we should not show this settings on user profile while he has no access

It seems the answer and the supplied patch are due to two misunderstandings?

As the module works now (7.x-1.0-rc4), a user A can masquerade as another user B, EVEN if user A does not have the "masquerade as user" permission. If user A has user B listed as users he is allowed to masquerade as, then user A is able to masquerade as user B, regardless. I'm not sure if this is intended behaviour, but this is how it works

One would expect that the block displays when a user is able to masquerade as another user. As it is now, it will however not display in the scenario above. To correct this will require a change in the code that was quoted in the issue summary.

The supplied patch however doesn't deal with the block view, but with the user form. This is what seems to be the one misunderstanding. The other misunderstanding is that the access to this form needs to be changed. I think it makes perfectly sense that this form requires the "administer masquerade" permission. - it is a place where masquerade rights are administrated individually on users.

@rosell.dk,
your description of the problem is correct. I just changed

<?php
if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin'))) {
       
$block['subject'] = t('Masquerade');
       
$block['content'] = drupal_get_form('masquerade_block_1');
}
?>

with

<?php
if (isset($_SESSION['masquerading']) || (user_access('masquerade as user') || user_access('masquerade as admin')) || masquerade_menu_access('user')) {
       
$block['subject'] = t('Masquerade');
       
$block['content'] = drupal_get_form('masquerade_block_1');
}
?>

StatusFileSize
new666 bytes
PASSED: [[SimpleTest]]: [MySQL] 38 pass(es).
[ View ]

Thank you @rosell.dk. This worked well for me in displaying the block with just a limited list of users that a person is allowed to masquerade as. I've made a patch against the latest dev version that implements your solution in the hope that this change might be committed.

Paul