I've noticed a bug and I will describe the steps to replicate it below. This bug may be related to Unmasquerade link appears for users with the permission: 'link to any page', regardless of masquerade status. However the bug I'm about to describe does not require the user to have permission to 'link to any page'.
Here's the bug:
Install Drupal 8.0.6.
Download and enable the masquerade module.
Create a new authenticated user.
Log in as the new authenticated user.
See the Unmasquerade link in authenticated user's toolbar and the Unmasquerade menu link in the User account menu.
When the authenticated user clicks either link, they are sent to /unmasquerade with a token in a query string on a Access denied page.
Comment | File | Size | Author |
---|---|---|---|
#23 | interdiff-2710977_20-23.txt | 849 bytes | arpad.rozsa |
#23 | 2710977_23-test-only.patch | 2.34 KB | arpad.rozsa |
#23 | 2710977_23.patch | 3.01 KB | arpad.rozsa |
|
Comments
Comment #2
esod CreditAttribution: esod at Memorial Sloan Kettering Cancer Center commentedComment #3
esod CreditAttribution: esod at Memorial Sloan Kettering Cancer Center commentedComment #4
sheanhoxieI must be very tired, this does not apply to the issue...
Looks like changing this value in masquerade.routing.yml
_user_is_masquerading: 'TRUE'
to
_user_is_masquerading: 'FALSE'
removes the link from users other than admin
unsure what happened, but the link is now gone for me in my normal user accounts. After removing and reinstalling Masquerade module, the link is still gone from normal accounts. So I'm guessing this is something on my side.However, below still returns false, so it does not show a link to unmasquerade for those users currently masquerading
getContext() in MasqueradeCacheContext always returns FALSE for me, even when the $_SESSION['masquerading'} value is set
Comment #5
sheanhoxieAgain, looks like I'm tired, this does not apply to the issue
Looks like the module is using $_SESSION most places, so switching from$this->requestStack
->getCurrentRequest()
->getSession()
->has('masquerading');
TO
return (isset($_SESSION['masquerading']));
gives the masqueraded user the "unmasquerade" link back
Comment #6
esod CreditAttribution: esod at Memorial Sloan Kettering Cancer Center commentedWell thanks @sheanhoxie for looking into this bug. The menu link in the User account menu is not so bad. One can always remove that manually after installation or create an update hook to remove it.
Everyone using this module is going to get the link in the toolbar. The link in the toolbar is the must-fix part of this bug.
Comment #7
bobemoe CreditAttribution: bobemoe commentedI'm also facing this issue, however only with the user account menu. The Admin Toolbar seems to function as expected:
I get the unmasquerade link in the Admin Toolbar ONLY if I am masquerading, which is how I would expect it to work.
However if I am logged in as any user, masquerading or not, then I ALWAYS get the unmasquerade link in the user account menu.
I have applied the workaround suggested by esod, by removing the link from the user account menu all together, however it would be useful if this worked as expected so when masquerading as a user who doesnt have the admin toolbar I can unmasquerade easily.
The difference between my report and the original report could well be because I am running 8.x-1.0-beta1 on newer core 8.1.2?
Comment #8
mr.baileysCaching-related issues should have been fixed by #2448699: Implement caching for the masquerade block and links with a 'masquerade' cache context. Can you try and reproduce the issue using 8.x-2.x-dev?
Comment #9
andypostLooks we need new release
Comment #10
rivedav CreditAttribution: rivedav commentedSame issue here. I'm using Drupal 8.2.3. Eventhough I go to admin/structure/block/manage/masquerade and change the view mode to Admin user. Any authenticated user will se the UnMasquerade button.
Comment #11
andypostAre you sure you're not using UID1 for testing?
Comment #12
slashrsm CreditAttribution: slashrsm at Tag1 Consulting commentedI think that this is caused by the missing cache meta-data in the toolbar item. The attached patch fixes it for me.
Comment #13
andypostIs there steps to test it?
looks a right way, to provide context always
Comment #14
RumyanaRuseva CreditAttribution: RumyanaRuseva at FFW commentedComment #15
k4v CreditAttribution: k4v commentedWorks for me! This is great, I ran into this bug in several projects now.
The cache context is the right solution for this.
Comment #16
k4v CreditAttribution: k4v commentedComment #17
andypostit still needs test coverage
Comment #18
ñull CreditAttribution: ñull as a volunteer commentedDo I understand correctly that this fix causes the unmasquerade link to appear only when an administrator with that permission is masquerading (session.is_masquerading) as other user, right? Well I just tested the patch on my Drupal 8.63 and guess what, now the unmasquerade link is removed when I am masquerading as other user. Is that expected behaviour?By accident I was using "Switch user" in stead of Masquerade. I can confirm that the patch works as expected.Comment #19
BerdirFound this too and came up with the same fix.
Note that this is not a problem by default because shortcut.module still makes the toolbar uncacheable in dynamic page cache. Once #2914110: Shortcut hook_toolbar implementation makes all pages uncacheable is committed, this problem will start to appear for a lot more use cases, specifically users that do have access to shortcuts.
Comment #20
arpad.rozsa CreditAttribution: arpad.rozsa at Studio Present commentedAdded a test case to check if the cache context is present and if the unmasquerade link is not visible, when you login with a user.
Comment #21
arpad.rozsa CreditAttribution: arpad.rozsa at Studio Present commentedAdding just a test only patch.
Comment #22
BerdirassertNo* tests are always a bit tricky, because it is for example possible that the label is changing and then it would still pass.
The best way to prevent that is to also add explicit asserts close to it that make sure that link is shown when it should be, aka, just duplicate those two lines and do assertLinke() + cache context after the masquerading as well.
Then once more test-only + combined patch and then it should be RTBC.
Comment #23
arpad.rozsa CreditAttribution: arpad.rozsa at MD Systems GmbH commentedExpanded the test as you suggested.
Comment #24
BerdirThanks, looks good now I think.
Remember to upload the test-only patch last because the testbot will update the status based on the last patch in an issue comment.
Comment #26
andypostThanks a lot for fixing and tests