After looking at the code, I realize that if 2 users masquerade to the same user, you might not get the right masquerading user.

I create a panel pane that check the masquerading role. The pane can only be seen if the masquerading user has admin role. I took 2 users that have access to masquerade, user test1 is admin and user test2 is not admin. Both test1 and test2 masquerade to the user test3. In my case, the code load test1 for both. The result is that test2 can see the block even if he doesn't have admin access.

I quickly look at the code of all sub-modules and it look like they might all have the same issue. The SQL that load the user masquerading doesn't take the session id.

CommentFileSizeAuthor
#1 masquerade_extra-get_masquerading_user-2178999-1.patch838 bytesfprevos2

Comments

fprevos2’s picture

fprevos2 commented
StatusFileSize
new masquerade_extra-get_masquerading_user-2178999-1.patch838 bytes

The following patch fix the issue I have in masquerade_ctools but I think it needs more work. The function will only work for the logged-in user since it used his session id.

wjaspers’s picture

wjaspers commented
Status: Active » Needs work

The current session may not necessarily reflect the user your panel argument is accessing.
It might be in our interest to make a separate context to handle this specific case.

I assume your use case involves checking if an anonymous user is "being masqueraded".

I should also mention that as far as I've been able to tell, the masquerade module doesn't permit more the same user to be masqueraded by multiple others.

fprevos2’s picture

fprevos2 commented

I agree that my patch doesn't work since the session id might not be right but it fix the problem I was having. I don't see a working patch for this issue since you have no way of determining the user session for the user your panel argument is accessing. (If there is multiple session for that user).

Masquerade does support multiple users masquerading has the same user.

I think you can only fix this issue if the only user your panel argument is accessing is the current user.

wjaspers’s picture

wjaspers commented

In that case it might be in our interest to create a different context plugin or expose some different options for it.

At the moment I dont have much time to devote to resolving this, so any patches would be greatly appreciated.