The selected user is not an administrator and my role has permission to masquerade as user, but since rc7 I got this error report of other help desk people. I tried it out myself and first could not reproduce it. I adviced them to clear their browser cookies. They still complained. Then I gave myself the same combination of roles, but still could not reproduce it. Then I cleared out the session table and after that I could reproduce the same error. I reverted back to RC6 but it had the same error. After reverting back to RC5 it was "fixed" and I could masquerade again. Something in the code in between RC5 and RC7 must have broken it.
Comments
Comment #1
ñull CreditAttribution: ñull commentedComment #2
bwoods CreditAttribution: bwoods commentedIt seems that if you're the original user (ID = 1), you can masquerade, but regardless of the permissions set up, you can not masquerade if you are not.
Comment #3
genjohnson CreditAttribution: genjohnson commentedI'm running into this as well. I've found a combination of permissions that seems to get around this issue, but the permissions still don't seem right to me.
I have three roles on my site - administrator, webmaster and editor. Users with the webmaster role should only be able to masquerade as any user with the editor role.
On the Masquerade configuration page, the administrator and webmaster roles are checked in the Roles that are considered "administrators" for masquerading section. The editor role is not checked.
When the webmaster role has only the "Masquerade as user" permission, webmasters are unable to masquerade as editors and receive the error message "You are not allowed to masquerade as the selected user." (They also cannot masquerade as administrators or other webmasters, which is working as expected.)
When the webmaster role has both the "Masquerade as user" and the "Masquerade as any user" permissions, webmasters are able to masquerade as editors. However, with this permission configuration when the webmasters try to masquerade as an administrator or other webmaster the site white screens. There are two log entries - one error of type masquerade, "This user requires administrative permissions to switch to the user ", and one warning of type access denied to the page the webmaster was on when they tried to masquerade.
When the webmaster role has only the "Masquerade as any user" permission, the Masquerade block is not available to the webmasters and they cannot masquerade as other users.
It's not clear to me what the difference between the "Masquerade as user" and "Masquerade as any user" permissions is supposed to be. Could someone clarify what the difference between these permissions is supposed to be?
Comment #4
clemens.tolboom#2211547: Regression: RC6 checking for users in list prevents admin masqurade
I've just upgrade from 7.x-1.0-rc6 to 7.x-1.0-rc7 and can switch from user-1 to another user.
@genjohnson what version do you use?
Comment #5
genjohnson CreditAttribution: genjohnson commented@clemens.tolboom, I'm using 7.x-1.0-rc7.
Comment #6
suntower CreditAttribution: suntower commentedUsing 7.x-1.x-dev
We have 4 Roles
Sales
Data Entry
Editor
Admin
I'm getting the same situation as genjohnson:
If one follows the docs, it does not work as advertised.
1. Admin can Masquerade as anyone
2. You have to check the Masquerade As Admin box in order for -anyone- who is at a higher Role to be able to Masquerade as -anyone-.
3. However, if, say, a lower Role (sales) tries to switch to Admin, the cursor just spins for 5 minutes. To -me- they shouldn't even -see- the higher level Roles as options to switch to.
I have to say, this is not a 'normal' bug. To me, it should be -high- or -very high- as it's just basic functionality.
Comment #7
dale42I have encountered this issue, as well.
I can reproduce on a test site as follows:
7.x-1.0-rc5: Works
7.x-1.0-rc6: Error message "You are not allowed to masquerade as the selected user."
7.x-1.0-rc7: Error message "You are not allowed to masquerade as the selected user."
Comment #8
laughnanSubscribing.
Comment #9
rob.barnett CreditAttribution: rob.barnett commentedThis issue seems to be a byproduct of the RC6 Security fix. It no longer validates against the masquerade as user permission. It only checks against masquerade as any user
I think it would helpful to add another configuration option that provides a list of roles that a user with masquerade as user can login as. The masquerade_block_1_validate function could then check against that setting and compare the roles for $to_uid user.
The allowed roles setting could add form element with #type select that gets the roles with user_roles().
The selected roles with their rids as array keys get saved in the variables table.
The masquerade_block_1_validate function gets the array of denied roles from the variables table setting and does an array_intesect_key() comparison.
I haven't tested this but something like so in the masquerade_block_1_validate:
Comment #10
fdefeyter@gmail.com CreditAttribution: fdefeyter@gmail.com commentedSame problem...
Comment #11
rob.barnett CreditAttribution: rob.barnett commentedYou can still get masquerade to work by checking off both the "Masquerade as user" and the "Masquerade as any user" permission for the role you want.
Then make sure to check off the roles that are considered "administrators" for masquerading under the Masquerade configuration under admin/config/people/masquerade in order to prevent users from masquerading as administrators.
One caveat is that I get a WSOD when I try to masquerade as a user who is an administrator with the following watchdog message:
This user requires administrative permissions to switch to the user x
Comment #12
liquidcms CreditAttribution: liquidcms commentedat the very least the label on the masquerade config page is confusing:
Roles that are considered "administrators" for masquerading
should possibly be something like:
Roles that are not included in ANY when allowed to masquerade as any user.
but also the WSOD when masquerading as an admin is not great.
Comment #13
paulsheldrake CreditAttribution: paulsheldrake commentedHello
Here is a patch to fix the issue of the "masquerade as user" permission not working. This was done against RC7.
Cheers,
Paul
Comment #14
paulsheldrake CreditAttribution: paulsheldrake at Kanopi Studios commentedComment #15
lathanWorks for me RTBC
Comment #17
heyyo CreditAttribution: heyyo commentedI still have the same issue even with the patch from #13.
And having the 2 option checked: "Masquerade as user" and the "Masquerade as any user", is filling my drupal logs in loop when switching to an administrartor role.
Comment #18
rprager CreditAttribution: rprager commentedI've started working on a patch for this, but as I look at the code I'm seeing inconsistencies for how masquerade access is checked in different functions (masquerade_user_view, masquerade_block_1_validate, masquerade_switch_user, masquerade_menu_access). I think these access checks could be consolidated into a single function in many cases.
Before I move forward, I need to have a clear understanding of each permission and how access should really work. Here's what my initial understanding was until I started seeing inconsistencies.
- If a user is setup with specific users to masquerade as via the masquerade settings on the profile edit page, they can masquerade as those users without any additional masquerade permissions
- masquerade as any user - this permission allows a user to masquerade as any other user (including those considered admins based on roles checked in the masquerade configuration...this could be considered a combination of the next two permissions
- masquerade as admin - this permission allows a user to masquerade as uid=1 or users considered admins based on roles checked in the masquerade configuration
- masquerade as user - this permission allows a user to masquerade as any non-admin user (users not considered admins based on roles checked in the masquerade configuration
Am I wrong by these assumptions?
Comment #19
r-mo CreditAttribution: r-mo at CTI Digital commentedAgree with #18 really need to ensure these permissions are properly defined and create a reusable function which checks them but can't really complete that until we can confirm above assumed permissions are correct.
Have created a patch for block_1_validate which treats the permissions here the same way as masquerade_switch_user.