Allow impersonating when already impersonated #139
Conversation
|
It's a shame it doesn't have any reviews. |
|
I'm not convinced this is the best way to solve this "problem". What I've done for this is simply to block the Impersonate option in the UI if the user is already impersonating. Another thing I did in one app was apply a header bg color change when impersonating, so that it's always obvious that you're already in impersonation mode (the users of that app were often accidentally editing things wrongly while in impersonation, and they were satisfied that this header bg color/overlay was enough of a clue to be cautious.) Anyway, checking "can impersonate", "can be impersonated" and "already impersonating" for UI components will often be enough for this, and can be done in existing apps right away without package changes. |
There was a problem hiding this comment.
If this PR gets approved, I think it would be wise to first check canImpersonate() before checking isImpersonating(). Swap the checks. eg: It might be unexpectedly surprising to try to impersonate someone else who can't be impersonated and then forced out of the impersonation you were already in.
eg:
+ // abort if destination user cannot be impersonated
+ if (!$request->user()->canImpersonate()) {
+ abort(403);
+ }
+
+ // if already impersonating someone else, leave impersonation
if ($this->manager->isImpersonating()) {
- abort(403);
+ $this->manager->leave();
}
- if (!$request->user()->canImpersonate()) {
- abort(403);
- }I suppose a config switch could be added and checked inside if($this->manager->isImpersonating()) to control whether $this->manager->leave() is called vs abort(403).
This PR hopes to solve a situation where you can't re-impersonate when already impersonated.
The problem I'm trying to solve here has to do with the following situation:
Please note I didn't test this, but it seems rather straight-forward to me.
Thanks!