-
Notifications
You must be signed in to change notification settings - Fork 634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ImpersonateUser fix #893
ImpersonateUser fix #893
Conversation
bscheshirwork
commented
Mar 16, 2017
Q | A |
---|---|
Is bugfix? | yes |
New feature? | no |
Breaks BC? | yes/no |
Fixed issues | #890 |
+1 - please merge :) |
@bscheshirwork Hey - could you please copy your PR over to https://github.com/dabilite/yii2-user/pulls ? We currently have an fork of dektrium/yii2-user ongoing. Thanks ! |
You are clearly not doing the right thing. 17 opened PR. 3 new Member... 759 stars! Can resolve problem in this project. |
The Idea is to do a "temporary fork" of the dektrium module collection that can be merged back into dektrium once @dmeroff or @thiagotalma have enough resources again to manage the project. |
Sure? A nightmare for combining and verifying which of the PRs were combined to you branch and which are not. |
Git is decentral by design, i don´t see any problems with it. |
I don't feel much for moving over to another fork for the moment and having to move back later in my projects. You are not only dealing with a decentral system, but also with user implementations. |
Merged. Thanks! |
Sorry I haven't checked this in detail, but it looks to me like only the button is hidden. There should be additional checks in the controller or not? |
@schmunk42 Can you create a new PR with the changes that you think necessary? |
I can't remember... So.. this action allow to all for design reason (one action to masquerade and to go out) yii2-user/controllers/AdminController.php Lines 183 to 193 in 120ab9e
and check access inside yii2-user/controllers/AdminController.php Lines 344 to 346 in 120ab9e
|
@schmunk42 look at this ^ |
Ah, I remember :) Actually, we have this permission set. Our problem comes from the fact that we have ie. three roles for users: admin, developer and editor. A developer should be able to use the user-module, but if we set the So giving the I guess we need to implement this via events or is this something you would like to address in the user-module? |
@schmunk42 yes Yii::$app->user->identity->isAdmin will be customize throw 'modules' => [
'user' => [
'class' => 'dektrium\user\Module',
'enableRegistration' => false,
'adminPermission' => 'administrateUser',
... |
or we have |
Using a 'developer' role could be misleading. We use the impersonate user function also on the live system, for the administrators to see what the user has done. We use a own role 'can-impersonate' for this to fine-grain which administrators should get this (very powerful!) access right. |
I thought about a similar thing. Moreover, although I haven't check this in detail ... a user should only be able to assign permissions/roles he has |
So... This is argument for redesign it. |
Big +1 for the can-assign-revoke idea. Being able to fine-grain the administrator access rights is really important. One should also not be able to impersonate into any other administrator user ! Currently this is possible, so every admin could do everything, when he knows how. We definitely need some huge redesign for this feature. I am still not sure if all our work and love should better go into yii2-usuario though... will this fork ever be merged into dektrium again? |
@thyseus @schmunk42 how about separate administrate and impersonate? 'modules' => [
'user' => [
'class' => 'dektrium\user\Module',
'adminPermission' => 'administrateUser',
'impersonatePermission' => 'impersonateUser', |
I can see some merged PR |
I mean: in the long term its bad to have dektrium/yii2-user and yii2-usuario in parallel with the same codebase but different features... there should be one, great user module for yii2. |
I'd be also very interested in a common code-base. @thiagotalma Are you a maintainer of this project now? Looks to me like this is the case from commits and releases. @tonydspaniard Will you or someone of your team be able to support |
Furthermore (just collecting ideas): all impersonating actions should be logged very precisely (login+logout time) so one can determine which action was done by the "real" user, and which one by the "admin". For example, we use yii\behaviors\BlameableBehavior a lot, and the created_by column would be set to the user id in Yii::app->user->id - the "real" user, even when impersonated through the admin. We should think about how we handle this. What happens when the real user and the impersonating administrator are logged in simultaneously (not uncommon when the admin tries to support the user in real-time) ? How do we avoid conflicts (row lock, ...) |
@schmunk42 Please, join here |
I just found the time to add some security improvements to the impersonating feature: |