Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi there,
Is there a way to redirect to a specific page after masquerading?
I am creating a site where the admin user needs to masquerade to access other user's account. I have created an admin section where I've put a list of all the users. In front of each user there is a "log in as this user" button, that redirects to masquerade:
// at the end of a form_submit handler
$form_state['redirect'] = 'masquerade/switch/'.$uid;
The problem is that after going to the masquerade link, it goes back to the admin page, where non-admin users are not authorized to be. So, I get an "access denied".
Is there a way to do something like this:
// at the end of a form_submit handler
$form_state['redirect'] = 'masquerade/switch/'.$uid.'?destination=some-page';
Thanks for a great module, by the way!
Comment | File | Size | Author |
---|---|---|---|
#21 | interdiff.txt | 286 bytes | richardbporter |
#21 | how_to_redirect_to_a-763972-21.patch | 362 bytes | richardbporter |
#20 | how_to_redirect_to_a-763972-20.patch | 364 bytes | richardbporter |
#19 | masquerade-redirect-763972-D7-19.patch | 436 bytes | cristiroma |
#6 | masquerade.zip | 5.61 KB | southweb |
Comments
Comment #1
deviantintegral CreditAttribution: deviantintegral commentedAt the end of masquerade_switch_user(), there is:
drupal_goto(referer_uri());
I've attached a patch that refactors masqurade_switch_user() and masqurade_switch_back() into page callbacks and API functions. That way, you should be able to call masqurade_switch_user() directly in your form, without having it mess up your #redirect.
Note this is completely untested as I was on the plane when I wrote it :)
Comment #2
deviantintegral CreditAttribution: deviantintegral commentedReroll against HEAD.
Comment #3
deviantintegral CreditAttribution: deviantintegral commentedUpdated patch that properly throws an error if the user doesn't have access to switch to the specified user.
Comment #4
deviantintegral CreditAttribution: deviantintegral commentedAnd here's a patch against HEAD.
Comment #5
deviantintegral CreditAttribution: deviantintegral commentedI've committed the attached patch to DRUPAL-6--1.
Comment #6
southweb CreditAttribution: southweb commentedThanks for this. Will have a look. I had the same problem. But I also needed the facility to be able to switch users as an API call ( without FAPI ).
And for this, there may be cases where we don't want any redirect at all.
Also, going to referrer() seems problematic given that you could well be switching back to a page for which the original users doesn't have access to. Or that they have access to it, but are accessing it as the 'wrong' user for the application logic.
My approach was to add the parameter redirect which could be boolean or a path and by default was set to true. In the API scenario you may not want to go anywhere at all after a redirect.
Also, if you do want to redirect, but have not specified the destination, the safest place is the home page;
If you want to specify a redirect, this can be passed as a string (for API users); and finally, the return to the redirect should be the starting point of the original masquerade request - so we store the referrer as $_SESSION['masquerade_redirect'] prior to redirection (see attached).
Anyway, not sure how much help the above is, and I may well be able to achieve all these things with your API patch, so feel free to ignore.
(BTW - this applies Drupal 6 version)
Comment #7
andypost@bluffit are you still using your API for switching without formapi? Can ypu post a patch or your code?
Comment #8
southweb CreditAttribution: southweb commentedHi andypost,
Sorry for the late reply. I am still using the old module (my bad) as the new one would require a major attack.
Comment #9
LEternity CreditAttribution: LEternity commentedbluffit, can you make this a patch for the D6 version, so it can be tested?
Comment #10
andypost#5 or #6 is a preferable way to implement API switching? Probably this functionality could be used with Rules.
Comment #11
andypostWhen porting we should care about masquerade_user_operations()
Comment #12
obleser CreditAttribution: obleser commentedThought about this request: http://drupal.org/node/1538428#comment-7192554
Comment #13
jenlamptonI was also looking for this feature (7.x) but managed to accomplish what I needed by using hook_user_login, testing
array_key_exists('masquerading', $_SESSION)
and calling a drupal_goto.I'm not sure if we need this feature built directly into Masquerade, but having an API so that other modules could do things while switching users (and switching back) would certainly be helpful.
Edit: Just read the other issue, it looks like that's what the plan is over there. Kudos!
Comment #14
andypostFor d7 a custom modules could implement
hook_drupal_goto_alter()
Comment #15
nevosa CreditAttribution: nevosa commentedfollowup on andypost, I used:
Comment #16
ndenhild CreditAttribution: ndenhild commentedThanks Nevos!
Comment #17
cristiroma CreditAttribution: cristiroma commentedAccording to the module code http://cgit.drupalcode.org/masquerade/tree/masquerade.module#n711, I am altering the referer, as so:
Could this pose any problem?
I was wondering if instead of drupal_goto, masquerade would call a hook like "masquerade_post_switch" and let another module what action to take? If the maintainer agrees, I can post a patch.
Comment #18
andypostUsing referee uri is bad idea because it mostly empty and could be fake, so having hook a nice idea
Also this needs to be ported to 8.x
Comment #19
cristiroma CreditAttribution: cristiroma commentedGreetings, I am submitting a patch allowing the module to invoke a hook in the redirect submit block to override the landing page after masquerade. Though I have one question: Is there a security check necessary on the $redirect variable?
Thanks,
Cristian
Comment #20
richardbporter CreditAttribution: richardbporter as a volunteer commentedI had this use case as well. This is sort-of a follow up on #17.
Using
$form_state['redirect']
instead ofdrupal_goto
in masquerade_block_1_submit would allow other modules to redirect as necessary using a form_alter without losing the access check. For example:See https://www.drupal.org/node/1975230 for documentation on redirecting a form.
The patch for this is pretty simple. However, is there a specific reason
drupal_goto
is being used?Comment #21
richardbporter CreditAttribution: richardbporter as a volunteer commentedRemoved the parentheses.
Comment #22
andypostYep, to prevent "destination" override that we have issue in d8