17.
Impersonation (Login as Someone Else)
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
Whoops, an error! Please, try again later.
9 Comments
Hi,I have on problem with impersonating, eg as an admin I have a page listing the users, with link to log in as, that's good, I login as the users, but I have the possibility to navigate back to previous page, then I can see all the users ! but when I click on a link that only admin has access to, I get the forbidden message. The admin is not dev, so has no clue to solve the issue, what can I do about that?
Hey Benoit L.!
I think I've gotten this question before... a LONG time ago... and basically the answer is: you can't avoid this... (good news!) you shouldn't try! The behavior you're seeing has nothing to do with Symfony: it's simply how the "Back" button in browsers work. So, to avoid this, what you would *really* be trying to do is disable the back button. And that (I believe) is not something that's really possible. I think the only solution would be to add some JavaScript to the admin page that, on "page load", sends an AJAX request to see if the user is still logged in. And if they are not, redirect elsewhere.
So, the good news is that this is not a Symfony-specific thing - it's just "how the Internet works". Another solution could be to open a new tab when you log in as the other user. Then, that tab would have no history and you couldn't click to go back.
Cheers!
Hi Good to know that it has nothing to do with Symfony ! thanks
Hey Ryan,
awesome Tutorial!
For example in Jira I also have the option to log in as different users, There I have the "switch back" option.
I tried to implement the same here and found, that I got one extra role available, if I switch the user, which is the 'ROLE_PREVIOUS_ADMIN' role.
Is it the right way, to determine, if I impersonated someone?
Here is the code I used, to check in the twig template:
And maybe, there is a shortcut, to get the current path out of twig ;)
thanks for the awesome tutorial!
Hey Daniel,
Yes, the ROLE_PREVIOUS_ADMIN is the Symfony way to do it! What about shortcut - I don't know any shorter than that. But probably you can create special route which always will redirect back based on HTTP referer: $request->headers->get('referer').
Cheers!
Hello Victor
I associated acl with masks (MASK EDIT, MASK VIEW, ....) to an entity according to a role for example: ROLE_SUPER_ADMIN.
I would like to retrieve them to modify them using a form which contains permissions ie masks like (MASK_VIEW, ..)
Thanks for your help
Hey Nizar
Have you consider using the voter's system? https://symfony.com/doc/cur...
or you can check our video about it: https://knpuniversity.com/s...
But what happens when, for instance, you have ROLE_ADMIN and ROLE_SUPER_ADMIN both with the ROLE_ALLOWED_TO_SWITCH. How can you prevent an ADMIN impersonating a SUPER ADMIN?
Hey Piter,
Well, do not give an ADMIN the ROLE_ALLOWED_TO_SWITCH role? probably the simplest one :) But yeah, good question. I have never tried to do this, but looks like it's possible to do by overriding the default SwitchUserListener, see this answer in StackOverflow: https://stackoverflow.com/a... . With this way you have a full control with any crazy custom logic.
Cheers!
"Houston: no signs of life"
Start the conversation!