Unable to "switch back" to Admin having masqueraded as another user

I had the same experience as you describe above when I first started using this great module.
Give permissions to admin only. Make sure that in your Blocks configuration you have checked all roles that you will want to masquarade as.
From my experience, this block does not show for users with other roles because they do not have permissions to the module.

If you are masquerading as any user, the Masquerade block should always show so you can switch back. If it's not, please post any steps to reproduce it so we can track it down.

Are you still unable to see the block in the latest release?

I have the same problem, after masquerading, the "Switch back" link in the menu is displayed without the security token (e.g. masquerade/unswitch). Therefore, it denies access.

It happens because at the time function masquerade_menu_link_alter is invoked, there is no masquerade/unswitch link in the menu, so it is not altered. However, after the unswitch link appears (after masquerading), the masquerade_menu_link_alter is not called again.

Confirm that "Switch back" from menu does not work (also after reinstall module)

EDIT related issue #144538: User logout is vulnerable to CSRF

I would rebuild the menu system just in case there is something else going on.

On a fresh install of Masquerade without any other contributed modules, the menu link has the query string added. So I wonder if some other module is altering the menu item or page callback?

http://api.drupal.org/api/function/hook_translated_menu_link_alter/6 is supposed to be called before the item is rendered, so I'm not sure how the token would be missed.

After updating the Masquerade Module from 6.x-1.3 to 6.x-1.4 I can no longer switch back - the response is Access denied.

Patch fixes the issue, also fix for notice when user created.

Using hook_menu_alter is preferred because called only once but previous approach is a great performance loss!!!

I've committed just the notice and indentation changes over at #710952: Undefined index: masquerade_users when registering.

The patch from #8 doesn't change anything for me... but I still can't replicate the issue. We need to isolate what's happening to be sure we have a proper fix.

@deviantintegral Suppose it depends on some contrib modules installed because I cant replicate the issue on clean install but get on some sites.

Also as I pointed hook_menu_alter() called ONCE but hook_menu_link_alter() called for every menu link

Module's reinstall helps, on one of sites I've seen that 'masquerade/unswitch' still exists in 'menu_links' table so seems like some DB dependent bug.

This but hit me with mysql 5.0.77 and php 5.2.13 (d6.17)

I confirm that the issue only manifests itself in presence of a row in the menu_links table with link_path='masquarade/unswitch' and options='a:0:{}'. This row is apparently created by a previous (6.x-1.3) version and is not replaced when the cache is flushed. A workaround is to delete it directly, thus making room for the new row with options='a:1:{s:5:"alter";b:1;}'. This deletion is what the database upgrade script between 6.x-1.3 and 6.x-1.4 should have done.

I had the same issue after upgrading from 6.x-1.3 to 6.x-1.4. The patch in #8 did not help.

However, the following sql calls, based on #13 above, worked:

mysql> use drupal;
mysql> update menu_links set options='a:1:{s:5:"alter";b:1;}' where link_path='masquerade/unswitch';

Nothing helped for me so far. I have uninstalled the module, cleanly re-installed it, flushed all caches, rebuilt permissions, reset the "Switch back" menu item in the navigation menu to its defaults... - Still Access denied every time clicking the "/masquerade/unswitch" link.

subscribing. after upgrading to 6.x-1.4, once masquerade as another user, the masquerade block no longer shows up, so i am unable to switch back.

I think what's described in #16 is a different issue.

I just tested a clean install upgrading 6.x-1.3 to 6.x-1.4, and it worked fine. So it's definitely related to some other module.

Next thought; is some other module changing the alter flag, or the page callback? That might be why the patch addresses the issue, as it's only checking the menu path.

I've attached an updated patch against DRUPAL-6--1.

I tried this 6.x-1.x-dev dated 27-6-2010 version of the dev and i get the following when masquerading.

You are now masquerading as Paige Petersen.
1

(thats all that is on the page) there is a token now in the address bar)

masquerade/switch/29430?token=835bcf3cd4498e1365527af3ffb219cb

However i don't get the switch back menu item until i refresh the page. After refreshing i get Access denied page.

Then if i click on the switch back menu item i get the following in the address bar

masquerade/unswitch

no token on the end (not sure if this is required)
I also get a blank page but it has however switched back as i can then refresh the page and access the admin menu.

Don't know how helpful i will be.
I do have the Login Destination module turned on and "Return user to where he/she came from. (Preserve destination)" enabled.

I haven't been able to duplicate any of the bugs mentioned. I've tried a clean drupal install with 6.x-1.4 and I've tried upgrading from 6.x-1.3 to 6.x-1.4 with no problems.

Same problem, Switchback shows in menu but delivers Access Denied when clicked. I reverted to 1.3 and all is OK again.

Subscribing...

To be able to get this fixed, we need:

1. Testing of the patch in #17.
2. Testing the query in #14 - that will help narrow it down to where the issue is when the menu is built.
3. At best, a module or modules that are known to be causing this. It's not an issue with Drupal itself, so it must be an interaction with some other module. If someone affected by this could narrow it down by disabling modules until the problem goes away, it would go a long way to solving this. Less helpful, but still useful, would be a list of modules installed on affected sites.

If you're affected by this issue, please help tackle one of the above items.

Attached is the screenshot of the "Available updates" screen of a site having this problem - thus showing all Drupal components. Hope it helps.

Thanks for the screenshot. I think I've enabled everything as per your site, however that page doesn't show every single enabled module as it hides submodules within packages. I've enabled all of the modules in the attached text, and can still unswitch from a user. So either it's a module not enabled, or it's a configuration setting within one of the modules.

Seems like "Switch back" item broken if menu was saved from admin/menu so menu rebuild does not work for this items

I tried moving the "Switch back" item to be under "My account", and renamed it to "Unswitch". That would mark it as customized in the menu system, but the token was still added properly even after clearing the menu cache.

Can you trigger it with a specific configuration of the menu?

I tried 6.x-1.4. I cleared the cache and I get the correct page after masquerading and unswitch menu. However unswitch still brings up access denied page.

I tried running the sql commands in #14 and no change to unswitch menu (still access denied).

I tried patch in #17 and no change to unswitch menu (still access Denied)

on all attempts i had to log out and log back in as admin user.

Still working on disabling modules.

I had similar issues when i upgraded this module from 1.3 to 1.4. I could not get the nav menu link to 'switch' or 'switch back' and when 'switching' via the block link i would get 'access denied' when trying to switch back.
However, i have it all working properly, after resetting to defaults on the Masquerade admin page and resetting the (2) navigation menu items.
It is what worked for me.

Tried the same and this did not work for me. However doing this and then going to performance and clearing cached data worked it now switches back.

Thanks for the info.

Phil

Ok Tried it again on backup of site.
installed 1.4
reset masquerade administrator item to defaults
reset switch back navigation menu item to defaults
cleared cache
all works fine

Clearing cache worked for me as well.

I'm good, too. Cleared cache and reinstalled. All is well.

Subscribing

I've got this issue too.
The 'switch back' link in the admin menu doesn't work.
The 'switch' link in the masquerade block does.
Whilst it's handy having an extra link in the menu, I'm going to disable it.

Cheers.

subscribing.
I get this error on all my customer sites since upgrading from 1.3 to 1.4

Just to add to my previous comment, I tested the SQL in #14 and this worked for me after flushing all caches.

Tried all possible suggested solutions - none of them worked for me.

Sounds like a cache issue then; surprises me a bit, as the cache should be cleared when update.php is run. If that's the case, I'm still not sure what the solution is, other then to add a message when upgrading from 1.3 to 1.4 to run update.php again.

It was more than cache for me. I had to actually, manually do the DB update mentioned in #14 and then flush the cache.

I did try flushing the cache first but it still didn't work until I did the DB update.
Maybe this wasn't done with the update to 1.4?

#14 + cache-flush fixed for me

#14 + cache-flush fixed for me

Same fix worked for me as well.

James

Finally... got it!

The solution was to only switch back via the (module-provided) "Masquerade" block. Thus, the Role specific visibility settings for this block have to allow showing it to the "authenticated user" so that it appears at all users being switched to (previously, I had only allowed "administrator" which prevented to show the block when being switched to non-admins). Then the "Switch back" link properly appears linking to "/masquerade/unswitch?token=[ID]" in the "Masquerade" block of the user being switched to.

Previously, the "Switch back" link only appeared in the Navigation block, but linking uncorrectly to "/masquerade/unswitch" (without the query string). So the "Switch back" item of the "Navigation" menu must be disabled (it's not possible to remove it)! The module should have removed it entirely when upgrading from 1.3 to 1.4.

In order that the "Masquerade" block does not appear for non-admins when they are logged in regularly, the "masquerade as admin" and "masquerade as user" permissions should only be granted to the "administrator" role.

I don't understand that.
My 'navigation' link works fine, using the correct string (after the #14 update).
I never give authenticated users access to the block, only admin roles. I use 2 roles; super admin (me) and others (customer).

I have "masquerade as admin" and the customer has "masquerade as user" and it all works without any problems now.

The "Switch back" link in the "Navigation" block never included the query string on my sites, so it never worked there. But in the "Masquerade" block the link is always correct - so the solution for me was just to always use the link in the Masquerade block and no more let it display in the Navigation block.

Even if you let the Masquerade block display to the authenticated user, it won't display to authenticated users not having a "masquerade as ..." permission.

Same problem, fixed with #14+cache clear.

Suppose we need #17 to be commited, as follow-up proposed alter #14 could be implemented as hook_update_N()

#17 work for long now on a bunch of my sites

subscribe

The token was missing. The dev-version fixed it for me. Thanks.

This is also an issue in D7. See #1005198: No "Switch back" link in D7 version.

For D7 version follow #1004014: Replace hook_menu_link_alter() with hook_menu_alter()

Like #46, I have been using #17 now it it works fine for me. BTW: I'm using it in the Admin.module sidebar menu.

Re-roll of #17

I see no reason to check for anonymous name isset($default_test_user->uid) enough because _masquerade_user_load() and user_load() would return FALSE

committed to DRUPAL-6--1

I thought this was still an issue in Drupal 7 until a friend pointed out that I just needed to enable the masquerade block in the footer region. The switch and switch back works great there.

I did however add in this quick fix / hack solution to add a "Masquerade Switch Back" link to the management menu for switching back when masquerading:

Add in a hook_menu call with the following item:

function mymodule_menu() {
// Masquerade module hack
  if(module_exists('masquerade')) {
    $items['masquerade/unswitch'] = array(
      'access callback' => 'masquerade_menu_access',
      'access arguments' => array('unswitch'),
      'page callback' => 'mymodule_masquerade_unswitch',
      'page arguments' => array(),
      'title' => 'Masquerade Switch Back',
      'weight' => 100,
      'menu_name' => 'management',
      'type' => MENU_NORMAL_ITEM,
    );
  }

  return $items;
}

And then add in the page callback as such:

function mymodule_masquerade_unswitch() {
  $token = drupal_get_token('masquerade/unswitch');
  if (isset($token)) {
    global $user;
    $olduser = $user;
    masquerade_switch_back();
    drupal_set_message(t('You are no longer masquerading as !masq_as and are now logged in as !user.', array('!user' => theme('username', array('account' => $user)), '!masq_as' => theme('username', array('account' => $olduser)))));
    drupal_goto($_SERVER['HTTP_REFERER']);
  }
  else {
    drupal_access_denied();
  }
}

#55 worked perfectly for me on Drupal 7.43, this really should be included directly in the module, pretty much every site I use masquerade on needs this functionality...

I just had a horrendous few hours with this module. As an Admin, once I'd switched to another account I no longer had admin privileges and couldn't switch back (no switch back option anywhere). After hours of fiddling (including manual SQL work on the database) I've disabled and uninstalled the module.

However, a list of user names remains on the Hello button of the Maintenance menu. How to get rid of that list?