Your not allowed to masquerade as the selected user

It seems that if you're the original user (ID = 1), you can masquerade, but regardless of the permissions set up, you can not masquerade if you are not.

I'm running into this as well. I've found a combination of permissions that seems to get around this issue, but the permissions still don't seem right to me.

I have three roles on my site - administrator, webmaster and editor. Users with the webmaster role should only be able to masquerade as any user with the editor role.

On the Masquerade configuration page, the administrator and webmaster roles are checked in the Roles that are considered "administrators" for masquerading section. The editor role is not checked.

When the webmaster role has only the "Masquerade as user" permission, webmasters are unable to masquerade as editors and receive the error message "You are not allowed to masquerade as the selected user." (They also cannot masquerade as administrators or other webmasters, which is working as expected.)

When the webmaster role has both the "Masquerade as user" and the "Masquerade as any user" permissions, webmasters are able to masquerade as editors. However, with this permission configuration when the webmasters try to masquerade as an administrator or other webmaster the site white screens. There are two log entries - one error of type masquerade, "This user requires administrative permissions to switch to the user ", and one warning of type access denied to the page the webmaster was on when they tried to masquerade.

When the webmaster role has only the "Masquerade as any user" permission, the Masquerade block is not available to the webmasters and they cannot masquerade as other users.

It's not clear to me what the difference between the "Masquerade as user" and "Masquerade as any user" permissions is supposed to be. Could someone clarify what the difference between these permissions is supposed to be?

#2211547: Regression: RC6 checking for users in list prevents admin masqurade

I've just upgrade from 7.x-1.0-rc6 to 7.x-1.0-rc7 and can switch from user-1 to another user.

@genjohnson what version do you use?

@clemens.tolboom, I'm using 7.x-1.0-rc7.

Using 7.x-1.x-dev

We have 4 Roles
Sales
Data Entry
Editor
Admin

I'm getting the same situation as genjohnson:

If one follows the docs, it does not work as advertised.

1. Admin can Masquerade as anyone
2. You have to check the Masquerade As Admin box in order for -anyone- who is at a higher Role to be able to Masquerade as -anyone-.
3. However, if, say, a lower Role (sales) tries to switch to Admin, the cursor just spins for 5 minutes. To -me- they shouldn't even -see- the higher level Roles as options to switch to.

I have to say, this is not a 'normal' bug. To me, it should be -high- or -very high- as it's just basic functionality.

I have encountered this issue, as well.

I can reproduce on a test site as follows:

• Install Drupal 7.38
• Install Masquerade 7.x-1.0-rc7 and enable
• Add block "Masquerade" to sidebar (or preferred region)
• Create role: manager
• Add permission "Masquerade as user" to role "manager"
• Create user: manager1
• Add role "manager"
• Create user: user1
• Log on as manager1
• Attempt to masquerade as "user1"

7.x-1.0-rc5: Works
7.x-1.0-rc6: Error message "You are not allowed to masquerade as the selected user."
7.x-1.0-rc7: Error message "You are not allowed to masquerade as the selected user."

Subscribing.

This issue seems to be a byproduct of the RC6 Security fix. It no longer validates against the masquerade as user permission. It only checks against masquerade as any user

I think it would helpful to add another configuration option that provides a list of roles that a user with masquerade as user can login as. The masquerade_block_1_validate function could then check against that setting and compare the roles for $to_uid user.

The allowed roles setting could add form element with #type select that gets the roles with user_roles().
The selected roles with their rids as array keys get saved in the variables table.
The masquerade_block_1_validate function gets the array of denied roles from the variables table setting and does an array_intesect_key() comparison.

I haven't tested this but something like so in the masquerade_block_1_validate:

  if ($to_uid !== FALSE) {
    $allowed_roles = variable_get('masquerade_allowed_roles') // array(2 => 'authenticated user')
    $to_uid_user = user_load($to_uid)->roles;
    $check_to_uid = array_intersect_key($allowed_roles, $to_uid_user);
    $allowed = !empty($check_to_uid) || user_access('masquerade as any user') ||
               db_select('masquerade_users', 'm')
                  ->fields('m', array('uid_to'))
                  ->condition('m.uid_to', $to_uid, '=')
                  ->condition('m.uid_from', $user->uid, '=')
                  ->execute()
                  ->fetchField();
  }

Same problem...

You can still get masquerade to work by checking off both the "Masquerade as user" and the "Masquerade as any user" permission for the role you want.
Then make sure to check off the roles that are considered "administrators" for masquerading under the Masquerade configuration under admin/config/people/masquerade in order to prevent users from masquerading as administrators.

One caveat is that I get a WSOD when I try to masquerade as a user who is an administrator with the following watchdog message:
This user requires administrative permissions to switch to the user x

at the very least the label on the masquerade config page is confusing:

Roles that are considered "administrators" for masquerading

should possibly be something like:

Roles that are not included in ANY when allowed to masquerade as any user.

but also the WSOD when masquerading as an admin is not great.

Hello

Here is a patch to fix the issue of the "masquerade as user" permission not working. This was done against RC7.

Cheers,
Paul

Works for me RTBC

I still have the same issue even with the patch from #13.
And having the 2 option checked: "Masquerade as user" and the "Masquerade as any user", is filling my drupal logs in loop when switching to an administrartor role.

I've started working on a patch for this, but as I look at the code I'm seeing inconsistencies for how masquerade access is checked in different functions (masquerade_user_view, masquerade_block_1_validate, masquerade_switch_user, masquerade_menu_access). I think these access checks could be consolidated into a single function in many cases.

Before I move forward, I need to have a clear understanding of each permission and how access should really work. Here's what my initial understanding was until I started seeing inconsistencies.

- If a user is setup with specific users to masquerade as via the masquerade settings on the profile edit page, they can masquerade as those users without any additional masquerade permissions

- masquerade as any user - this permission allows a user to masquerade as any other user (including those considered admins based on roles checked in the masquerade configuration...this could be considered a combination of the next two permissions

- masquerade as admin - this permission allows a user to masquerade as uid=1 or users considered admins based on roles checked in the masquerade configuration

- masquerade as user - this permission allows a user to masquerade as any non-admin user (users not considered admins based on roles checked in the masquerade configuration

Am I wrong by these assumptions?

Agree with #18 really need to ensure these permissions are properly defined and create a reusable function which checks them but can't really complete that until we can confirm above assumed permissions are correct.

Have created a patch for block_1_validate which treats the permissions here the same way as masquerade_switch_user.