Mailing List Archive: Catalyst: Users

superuser "switch-user" session function?

Index | Next | Previous | View Threaded

will at serensoft

Jul 8, 2010, 10:27 AM

Post #1 of 8 (606 views)
Permalink

superuser "switch-user" session function?

Hmm: Become-user?

Is there a clean way to provide a means for sys-admins to "become user" to
track down issues? It's much easier to diagnose when seeing what the user's
seeing directly, when we look at it through our own eyes -- as opposed to
relying on vague user-style descriptions ("unrecognized date format" vs
"doesn't work").

use Catalyst qw/
ConfigLoader
Static::Simple
Session
Session::Store::DBIC
Session::State::Cookie
Authentication
Authentication::Credential::Password
Authorization::Roles
Authorization::ACL
/;

--
will trillich
"I think it would be worse to expect nothing than to be disappointed." --
Anne (with an 'e') Shirley

peter at peknet

Jul 8, 2010, 11:21 AM

Post #2 of 8 (587 views)
Permalink

Re: superuser "switch-user" session function? [In reply to]

will [at] serensoft wrote on 07/08/2010 12:27 PM:
> Hmm: Become-user?
>
> Is there a clean way to provide a means for sys-admins to "become user"
> to track down issues? It's much easier to diagnose when seeing what the
> user's seeing directly, when we look at it through our own eyes -- as
> opposed to relying on vague user-style descriptions ("unrecognized date
> format" vs "doesn't work").

I have implemented this feature in my app. I don't know how "clean" it
is, but my controller looked something like this:

package MyApp::Controller::Admin::Sudo;

use strict;

use warnings;

use Carp;

use Data::Dump qw( dump );

use base qw( Catalyst::Controller );

sub switch_user : Local {

my ( $self, $c ) = @_;

my $newusername = $c->req->params->{username};

if ( !$newusername ) {

$c->error404;

return;

}

if ( uc( $c->req->method ) ne 'POST' ) {

$c->error404;

return;

}

if ( exists $c->session->{sudo_switched_from} ) {

$c->error( "already switched user from "

. $c->session->{sudo_switched_from} );

$c->stash( error_msg =>

'You must restore your original user first.' );

return;

}

my $oldusername = $c->user->id;

$c->log->info("user $oldusername sudo to user $newusername");

my $model = $c->model('Account');

my $groups = $model->get_groups_for( $newusername );

# logout as current user

$auth->logout($c);

# login as newuser

$auth->login( $c, $newusername, $groups );

$c->session->{sudo_switched_from} = $oldusername;

# redirect to user home page

$c->res->redirect( $c->uri_for('/my') );

}

sub restore_original_user : Local {

my ( $self, $c ) = @_;

my $orig_user = $c->session->{sudo_switched_from};

if ( !$orig_user ) {

$c->error404;

return;

}

my $current_user = $c->user->id;

my $model = $c->model('Account');

my $groups = $model->get_groups_for( $orig_user );

# logout as current user
$auth->logout($c);

# login as original user
$auth->login( $c, $orig_user, $groups );

# redirect to myMSI
$c->res->redirect( $c->uri_for('/my') );

}

--
Peter Karman . http://peknet.com/ . peter [at] peknet

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

rburbrid at cisco

Jul 9, 2010, 9:02 AM

Post #3 of 8 (586 views)
Permalink

Re: superuser "switch-user" session function? [In reply to]

On 07/08/2010 01:27 PM, will [at] serensoft wrote:
> Hmm: Become-user?
>
> Is there a clean way to provide a means for sys-admins to "become
> user" to track down issues? It's much easier to diagnose when seeing
> what the user's seeing directly, when we look at it through our own
> eyes -- as opposed to relying on vague user-style descriptions
> ("unrecognized date format" vs "doesn't work").
>
> use Catalyst qw/
> ConfigLoader
> Static::Simple
> Session
> Session::Store::DBIC
> Session::State::Cookie
> Authentication
> Authentication::Credential::Password
> Authorization::Roles
> Authorization::ACL
> /;
>

I just have the user log in and then admins can go to a page and "steal"
the session cookie (storing it to browser) from any user from the db.
I'm in a controlled env. with no danger from it, though =)

-Sir

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

will at serensoft

Nov 29, 2010, 3:37 PM

Post #4 of 8 (397 views)
Permalink

Re: superuser "switch-user" session function? [In reply to]

Aha! It looks like a sneaky, evil, wrong, mean, horrid way to switch-user in
the middle of a session is to

$c->session->{__user}{id} = $new_id_here; # since "id" = PK

But that's undoubtedly bad form of the worst kind.

What's the canonical non-sneaky above-board friendly golden way to do this?

On Thu, Jul 8, 2010 at 12:27 PM, will [at] serensoft <will [at] serensoft>wrote:

> Hmm: Become-user?
>
> Is there a clean way to provide a means for sys-admins to "become user" to
> track down issues? It's much easier to diagnose when seeing what the user's
> seeing directly, when we look at it through our own eyes -- as opposed to
> relying on vague user-style descriptions ("unrecognized date format" vs
> "doesn't work").
>
> use Catalyst qw/
> ConfigLoader
> Static::Simple
> Session
> Session::Store::DBIC
> Session::State::Cookie
> Authentication
> Authentication::Credential::Password
> Authorization::Roles
> Authorization::ACL
> /;
>
>
>
> --
> will trillich
> "I think it would be worse to expect nothing than to be disappointed." --
> Anne (with an 'e') Shirley
>

--
--
will trillich -- http://faq.serensoft.com/
"The truth is that many people set rules to keep
from making decisions." -- Mike Krzyzewski

2010 at denny

Nov 29, 2010, 4:19 PM

Post #5 of 8 (397 views)
Permalink

Re: Re: superuser "switch-user" session function? [In reply to]

On Mon, 2010-11-29 at 17:37 -0600, will trillich wrote:
> Aha! It looks like a sneaky, evil, wrong, mean, horrid way to
> switch-user in the middle of a session is to
>
> $c->session->{__user}{id} = $new_id_here; # since "id" = PK
>
> But that's undoubtedly bad form of the worst kind.
>
> What's the canonical non-sneaky above-board friendly golden way to do
> this?

t0m wrote something on the list a while back about putting your user
details into the stash manually rather than using $c->user directly.
One of the reasons he gave was that then, if you want to override the
(perceived) user session, you can override $c->stash->{ user } instead
of having to mess with $c->user itself.

Although presumably it would make sense to hinge the admin-only
functions (such as 'switch user') off of $c->user - so that you can
still switch back when you're done :)

Regards,
Denny

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

peter at peknet

Nov 30, 2010, 7:01 AM

Post #6 of 8 (395 views)
Permalink

Re: Re: superuser "switch-user" session function? [In reply to]

will trillich wrote on 11/29/2010 05:37 PM:
> Aha! It looks like a sneaky, evil, wrong, mean, horrid way to
> switch-user in the middle of a session is to
>
> $c->session->{__user}{id} = $new_id_here; # since "id" = PK
>
> But that's undoubtedly bad form of the worst kind.
>
> What's the canonical non-sneaky above-board friendly golden way to do this?
>

I don't know that there is a canonical way. This is Perl.

As I mentioned in my reply to this thread in July[0], one way is to
login as the new user and store the original username in the new user's
session. That way the app knows that the new user is allowed to revert
to the original user, but otherwise the app treats the current session
just as it would if the new user had logged in normally.

[0] http://www.mail-archive.com/catalyst [at] lists/msg09968.html

--
Peter Karman . http://peknet.com/ . peter [at] peknet

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

hernanlopes at gmail

Nov 30, 2010, 7:18 AM

Post #7 of 8 (394 views)
Permalink

Re: Re: superuser "switch-user" session function? [In reply to]

Indeed, i think it should login as a new user not changing the actual
session.
maybe something like:

admin clicks "login as joeuser">open a new browser window as admin>verify
its admin and re-login as a new user. register on session user is admin so
he can log back in.
Then add button "terminate session, close window and logout and log back in
with adminfoologin on parent.window"

--Hernan

On Tue, Nov 30, 2010 at 1:01 PM, Peter Karman <peter [at] peknet> wrote:

> will trillich wrote on 11/29/2010 05:37 PM:
> > Aha! It looks like a sneaky, evil, wrong, mean, horrid way to
> > switch-user in the middle of a session is to
> >
> > $c->session->{__user}{id} = $new_id_here; # since "id" = PK
> >
> > But that's undoubtedly bad form of the worst kind.
> >
> > What's the canonical non-sneaky above-board friendly golden way to do
> this?
> >
>
> I don't know that there is a canonical way. This is Perl.
>
> As I mentioned in my reply to this thread in July[0], one way is to
> login as the new user and store the original username in the new user's
> session. That way the app knows that the new user is allowed to revert
> to the original user, but otherwise the app treats the current session
> just as it would if the new user had logged in normally.
>
>
> [0] http://www.mail-archive.com/catalyst [at] lists/msg09968.html
>
> --
> Peter Karman . http://peknet.com/ . peter [at] peknet
>
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/
>

will.trillich at serensoft

Sep 25, 2011, 12:37 PM

Post #8 of 8 (213 views)
Permalink

Re: Re: superuser "switch-user" session function? [In reply to]

Mwa ha ha! It was $c->SET_AUTHENTICATED all along! This is how you
switch-user/become-user/super-user inside Catalyst.

Try this on for size:

sub su : Chained('/is_admin') PathPart('su') Args(1) {
my ( $self, $c, $id ) = @_;

my $user_was = $c->user;
my $user_is = $c->find_user({ id => $id }); # Do some error trapping of
course...
$c->*set_authenticated*( $user_is );
$c->stash( message => join ' ', 'Switched
from',$user_was->name,'to',$user_is->name );
}

Voila! Now $c->user is "$user_is" and no longer "$user_was". Neat!

Any bad carma expected here? This is so admin-types can help non-admin-types
diagnose issues...

On Tue, Nov 30, 2010 at 3:18 PM, Hernan Lopes <hernanlopes [at] gmail> wrote:

> Indeed, i think it should login as a new user not changing the actual
> session.
> maybe something like:
>
> admin clicks "login as joeuser">open a new browser window as admin>verify
> its admin and re-login as a new user. register on session user is admin so
> he can log back in.
> Then add button "terminate session, close window and logout and log back in
> with adminfoologin on parent.window"
>
>
> --Hernan
>
>
> On Tue, Nov 30, 2010 at 1:01 PM, Peter Karman <peter [at] peknet> wrote:
>
>> will trillich wrote on 11/29/2010 05:37 PM:
>> > Aha! It looks like a sneaky, evil, wrong, mean, horrid way to
>> > switch-user in the middle of a session is to
>> >
>> > $c->session->{__user}{id} = $new_id_here; # since "id" = PK
>> >
>> > But that's undoubtedly bad form of the worst kind.
>> >
>> > What's the canonical non-sneaky above-board friendly golden way to do
>> this?
>> >
>>
>> I don't know that there is a canonical way. This is Perl.
>>
>> As I mentioned in my reply to this thread in July[0], one way is to
>> login as the new user and store the original username in the new user's
>> session. That way the app knows that the new user is allowed to revert
>> to the original user, but otherwise the app treats the current session
>> just as it would if the new user had logged in normally.
>>
>>
>> [0] http://www.mail-archive.com/catalyst [at] lists/msg09968.html
>>
>> --
>> Peter Karman . http://peknet.com/ . peter [at] peknet
>>
>> _______________________________________________
>> List: Catalyst [at] lists
>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> Searchable archive:
>> http://www.mail-archive.com/catalyst [at] lists/
>> Dev site: http://dev.catalyst.perl.org/
>>
>
>
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/
>
>

--
"The very nucleus of Character: to do what you know you should do, when you
don't want to do it." Stephen Covey

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads