When two or more users (for example with UID 1, 2 and 3) start masquerading as the same user (with UID 10) and user 1 stops masquerading the remaining users 2 and 3 are kicked out from masquerading too but keep logged in as user 10. That's because their corresponding records in the masquerade table are deleted as well in masquerade_switch_back()
. There are two SQL conditions, sid (Session IDs of user 1, 2 and 3) and uid_as (UID of user 10 in the example above). This two conditions are ORed together so any condition can match. In the example: either the sid of user 1 or the uid of user 10 matches so it deletes all records for users which currently masquerading as user 10. In the result the remaining users are still logged in as user 10 but are not able to switch back from masquerading.
To fix this the conditions must be ANDed so only the record for the user switching back (identified by sid) from user 10 will be removed.
PS: To native english speakers: I tried to find a descriptive issue title - feel free to make it more understandable :)
Comment | File | Size | Author |
---|---|---|---|
#6 | 1858862-masquerade-6.patch | 537 bytes | andypost |
#1 | masquerade-1858862-1.patch | 754 bytes | fuerst |
Comments
Comment #1
fuerst CreditAttribution: fuerst commentedThe attached patch fixes this.
Comment #2
fuerst CreditAttribution: fuerst commentedComment #3
deekayen CreditAttribution: deekayen commentedSending to tlattimore.
Comment #4
deekayen CreditAttribution: deekayen commentedCommitted.
Comment #5
deekayen CreditAttribution: deekayen commentedProbably needs to be put on 8.x too.
Comment #6
andypostCommited to 8.x a different patch. (attached)
Suppose we need a sane comment about.
latter in this function session_id() is changing so we need to clean-up all staff related in out table for old session ID.
Comment #6.0
andypostRemoved senseless "stop" from "..but are not able to stop switch back from masquerading."