youngmd
commented
4 years ago After discussing with Arvind we agreed that because admin users can assign roles it created a security gap where an admin user could self-promote themselves to the god role then sudo in as another user. Solution is to limit user editing/deletion to the god role only. This also necessitated updating the bootstrap script in /bin that creates the initial 'admin' user to assign the god role.
Added "spoof" route to the user API controller. Authenticated users with the "god" role can utilize this route to temporarily become any other user. Implemented in vue interface, works as expected. Logging out and back in reverts to normal user.