masquerade_switch_user() and masquerade_switch_back() invoke the user login and logout hooks as appropriate after an identity switch, as part of the request that performs the switch. However, in the current code, what appears to be the best way to detect a masqueraded user - $_SESSION['masquerading'] - is not set until the hook_init of the next request. This makes it essentially impossible for logic in a login hook to act differently for a masqueraded user.
This could be fixed by setting or unsetting $_SESSION['masquerading'] before invoking the login hooks. Patch forthcoming...
Comment | File | Size | Author |
---|---|---|---|
#10 | masquerade-set_masquerading_flag_on_new_user-2226531-10.patch | 743 bytes | Ludo.R |
|
Comments
Comment #1
mbayntonattaching patch...
Comment #2
mbayntonComment #3
rjacobs CreditAttribution: rjacobs commentedThis might be a dup (or is at least related to) #1813696: Set/unset Session flag when masquerade status changes.
Comment #4
Gjoot CreditAttribution: Gjoot commentedNote that in the masquerade_switch_user($uid) function
The following has been done
This makes the property $user->masquerading useless since you overwrite the variable
If the property $user->masquerading was set before overwriting it you could use it as flag
It would also be better if the property contains the uid of the user that is masquerading instead of the user that has been masqueraded
Comment #5
andypostThere's no such code now http://cgit.drupalcode.org/masquerade/tree/masquerade.module#n811
Session holds state that initialized in
hook_init()
onlyComment #6
michaelmol CreditAttribution: michaelmol commented@andypost see line 858-868 in masquerade.module
If you implement hook_user_login() you can't access the $user->masquerading property, and that would be very usefull.
Comment #7
andypost-xpost-
Comment #8
andypostlooks we need to revert this to
$new_user->masquerading = $user->uid
so new user will get this property initializedPS: also if get rid of this property (+1 to that) we need to update hook_help() that mention about that
Comment #9
texas-bronius CreditAttribution: texas-bronius commentedChiming in here, bc this appears relevant. I'm looking over the whole issue queue for mention of this and looks like a couple places have. This doesn't make sense to me:
It appears than the flag
->masquerading
is getting set needlessly, because the entire$user
object is immediately overwritten. If the intent is to mark the masquerading $user object with the flag->masquerading
, then let's put a boolean in there and keep it on the overwritten object:No change in functionality to implement this except maybe if over the years someone else has gone and implemented their own
$user->masquerading
implementation like this or not.In other modules, the
$_SESSION['masquerading']
(set elsewhere by Masquerade) is a suitable check, but in the case of contrib module contrib module Legal, the hook_user_login action invoked by Masquerade without this $_SESSION marking doesn't allow Legal to detect Masquerade, but (what looks like the intent of) these two lines of code allows the Masquerade detection to occur.Comment #10
Ludo.RHere's a patch based on #9.
Cheers to texas-bronius.
Comment #11
andypostMeanwhile makes sense to add test for that
Comment #12
shaunole CreditAttribution: shaunole commentedWhile the flag indicating if the user is masquerading is useful. I think it would likely be helpful to include something like the following just before overwriting the
$user
variable with$new_user
.$new_user->masquerading_user = $user->uid;
In my testing, this made the masquerading user available to the hook_user_login function for my purposes. Thoughts?