How to redirect to a given page after masquerading?

At the end of masquerade_switch_user(), there is:

drupal_goto(referer_uri());

I've attached a patch that refactors masqurade_switch_user() and masqurade_switch_back() into page callbacks and API functions. That way, you should be able to call masqurade_switch_user() directly in your form, without having it mess up your #redirect.

Note this is completely untested as I was on the plane when I wrote it :)

Reroll against HEAD.

Updated patch that properly throws an error if the user doesn't have access to switch to the specified user.

And here's a patch against HEAD.

I've committed the attached patch to DRUPAL-6--1.

Thanks for this. Will have a look. I had the same problem. But I also needed the facility to be able to switch users as an API call ( without FAPI ).

And for this, there may be cases where we don't want any redirect at all.

Also, going to referrer() seems problematic given that you could well be switching back to a page for which the original users doesn't have access to. Or that they have access to it, but are accessing it as the 'wrong' user for the application logic.

My approach was to add the parameter redirect which could be boolean or a path and by default was set to true. In the API scenario you may not want to go anywhere at all after a redirect.

Also, if you do want to redirect, but have not specified the destination, the safest place is the home page;

If you want to specify a redirect, this can be passed as a string (for API users); and finally, the return to the redirect should be the starting point of the original masquerade request - so we store the referrer as $_SESSION['masquerade_redirect'] prior to redirection (see attached).

Anyway, not sure how much help the above is, and I may well be able to achieve all these things with your API patch, so feel free to ignore.

(BTW - this applies Drupal 6 version)

@bluffit are you still using your API for switching without formapi? Can ypu post a patch or your code?

Hi andypost,

Sorry for the late reply. I am still using the old module (my bad) as the new one would require a major attack.

bluffit, can you make this a patch for the D6 version, so it can be tested?

#5 or #6 is a preferable way to implement API switching? Probably this functionality could be used with Rules.

When porting we should care about masquerade_user_operations()

Thought about this request: http://drupal.org/node/1538428#comment-7192554

I was also looking for this feature (7.x) but managed to accomplish what I needed by using hook_user_login, testing array_key_exists('masquerading', $_SESSION) and calling a drupal_goto.

I'm not sure if we need this feature built directly into Masquerade, but having an API so that other modules could do things while switching users (and switching back) would certainly be helpful.

Edit: Just read the other issue, it looks like that's what the plan is over there. Kudos!

For d7 a custom modules could implement hook_drupal_goto_alter()

followup on andypost, I used:

function HOOK_drupal_goto_alter(&$path, &$options, &$http_response_code) {
	if(strstr(request_path(),'masquerade/switch')) {
		 $path = ''; // go home after masquarading
	}
}

Thanks Nevos!

According to the module code http://cgit.drupalcode.org/masquerade/tree/masquerade.module#n711, I am altering the referer, as so:

/**
 * Implements hook_form_alter().
 */
function module_form_masquerade_block_1_alter(&$form, &$form_state) {
  array_unshift($form['#submit'], 'module_form_masquerade_redirect');
}

function module_form_masquerade_redirect() {
  $_SERVER['HTTP_REFERER'] = '/user';
}

Could this pose any problem?
I was wondering if instead of drupal_goto, masquerade would call a hook like "masquerade_post_switch" and let another module what action to take? If the maintainer agrees, I can post a patch.

Using referee uri is bad idea because it mostly empty and could be fake, so having hook a nice idea
Also this needs to be ported to 8.x

Greetings, I am submitting a patch allowing the module to invoke a hook in the redirect submit block to override the landing page after masquerade. Though I have one question: Is there a security check necessary on the $redirect variable?

Thanks,
Cristian

I had this use case as well. This is sort-of a follow up on #17.

Using $form_state['redirect'] instead of drupal_goto in masquerade_block_1_submit would allow other modules to redirect as necessary using a form_alter without losing the access check. For example:

/**
 * Implements hook_form_FORM_ID_alter().
 */
function mymodule_form_masquerade_block_1_alter(&$form, &$form_state, $form_id) {
  $form['#submit'][] = 'mymodule_masquerade_block_1_submit';
}

/**
 * Additional submit handler for masquerade_block_1.
 */
function mymodule_masquerade_block_1_submit($form, &$form_state) {
  $form_state['redirect'] = '/node/1';
}

See https://www.drupal.org/node/1975230 for documentation on redirecting a form.

The patch for this is pretty simple. However, is there a specific reason drupal_goto is being used?

Removed the parentheses.

is there a specific reason drupal_goto is being used?

Yep, to prevent "destination" override that we have issue in d8