Allow staff admin to impersonate other users

HyphaApp / hypha

Submission management software for open calls

https://www.hypha.app

BSD 3-Clause "New" or "Revised" License

67 stars 38 forks source link

Allow staff admin to impersonate other users #3962

Closed bickelj closed 1 week ago

bickelj commented 1 month ago

When HIJACK_ENABLED = True and Staff Admin can see Wagtail admin and Staff Admin can view users, allow Staff Admin to impersonate.

Fixes #3961

Test Steps

Set HIJACK_ENABLED = True.
As Admin, allow Staff Admin to add/update/remove Users.
As Staff Admin user, find an Impersonate button now available in Wagtail admin
Impersonate a user by clicking the button.

frjo commented 1 month ago

Are you using Hijack in production? This is not something I want to encourage in Hypha.

The current implementation is only ment for development and testing, where it is quite handy.

bickelj commented 3 weeks ago

@frjo It appears we do use hijack in prod.

frjo commented 3 weeks ago

@bickelj That is not something that will be encourage in Hypha. If staff can act as other users there is no accountability and no meaningful auditing can be done.