Feel free to prove me wrong on this one, but I just shot a 15 minute video about Masquerade for GotDrupal.com.

The wording in the settings area is in conflict with what really happens.

When any role has the 'masquerade as admin' permission, it can become the super user (uid 1) or any other user.

When any role has the permission 'masquerade as user' it is able to become any user EXCEPT those checked within the settings area of Masquerade.

At least this is what was happening when I shot the video. Here is my suggested text and a screenshot of how it would look. I'll post a link to the video when I get it posted so you can review it if you wish.

As a recap, reading the current settings description...

"Only the users with masquerade as admin permission, will be able to masquerade as the users who belong to the roles selected below."

When checking the role 'authenticated user' in masquerade settings, it sounds AS IF, anyone with masquerade as admin will ONLY be able to switch to users WITHIN the role 'authenticated user' ... YET, if you test this, you'll still be able to switch to the root user using the masquerade block.

Maybe this is just a hole in the masquerade block, but, by default, the block is available to all users - unless limited within block settings.

---------------- snip ----------------
Suggested text revision...

Users with masquerade as user permission, will be able to masquerade as any other user EXCEPT those users who belong to the roles selected below. User #1 is automatically considered an administrator, regardless of roles. ANY user with the masquerade as admin permission will be able to become the site super user or any other user.

Roles which which cannot be accessed by the masquerade as user permission

CommentFileSizeAuthor
#1 Masquerade | localhost.png50.24 KBdeviantintegral
#1 Permissions | localhost.png14.23 KBdeviantintegral
masquerade-wording-change.png137.71 KBmattman
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

deviantintegral’s picture

deviantintegral CreditAttribution: deviantintegral commented
FileSize
Permissions | localhost.png14.23 KB
Masquerade | localhost.png50.24 KB

Thanks for the text review - it's always useful.

I can't seem to replicate the issue you're describing. I've attached my configuration, and with that users with the "switcher" role can't switch to any user at all (since all users are authenticated users).

I wonder if what we really need to make it clearer is to remove the default roles from that list.

mattman’s picture

mattman CreditAttribution: mattman commented

I think as it is worded right now it's a bit confusing.

I've posted my video that I shot and you can review it to see if there is something wrong with my set up. I don't think there was, but according to way I move through the testing process in the video, any role with the 'masquerade as admin' permission is able to become super user, despite any roles checked in the masquerade settings.

Here's the link to the video.

http://gotdrupal.com/videos/drupal-masquerade

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Status: Active » Closed (duplicate)

I like this better: #1171500: Add "masquerade as @role" permissions/settings for each role