search

cakephp / authentication

Authentication plugin for CakePHP. Can also be used in PSR7 based applications.
MIT License
117 stars 100 forks source link

Implement Impersonation #532

Closed ajibarra closed 2 years ago

ajibarra commented 2 years ago

Refs #473

ajibarra commented 2 years ago

You should run vendor/bin/phpcbf on your changes to fix the formatting issues.

Yeah..indeed it is still missing:

But it is great to get some feedback about approach and code.

Thanks @markstory

markstory commented 2 years ago

It would be helpful to know more about how you see developers using these features. Some use-cases that would be good to have examples of are:

  1. How does a developer enable account impersonation?
  2. Once active does impersonation stay active until it is stopped?
  3. How does one turn off impersonation?

We'll need these use-cases to write the docs, so having them now will help when it is time to write the documentation. Other questions, I have around impersonation are:

ajibarra commented 2 years ago

So how does one user an impersonated user once they have one? Are we going to support users 'being' the impersonated user and then 'reverting' their identity back to the old one? Will that be an Authenticator or are you thinking it should be a manual process?

If a user is already impersonating, then it throws an UnauthorizedException. We are going to support impersonation and also stops impersonation (not sure if this questions is related to multiple-levels impersonations. ATM we are going to support only single-level impersonation as previously discussed.

ajibarra commented 2 years ago

It would be helpful to know more about how you see developers using these features. Some use-cases that would be good to have examples of are:

  1. How does a developer enable account impersonation?
  2. Once active does impersonation stay active until it is stopped?
  3. How does one turn off impersonation?

We'll need these use-cases to write the docs, so having them now will help when it is time to write the documentation. Other questions, I have around impersonation are:

  • Should there be a time limit that impersonation is active for? If we don't want to build that into this plugin how would someone go about building that?
  • Should we emit log messages when impersonation is activated, or should that be an application concern?
  1. Impersonation is enabled by default and people just need to add a couple of actions like these to the UsersController (or similar):
    public function impersonate($id = null)
    {
        $user = $this->Users->get($id);
        if ($this->Authentication->impersonate($user)) {
            $this->Flash->success(__('You are now impersonating {0}.', $user->email));
        } else {
            $this->Flash->error(__('The user could not be impersonated. Please, try again.'));
        }
        return $this->redirect(['action' => 'index']);
    }

    public function stopImpersonating()
    {
        $user = $this->Authentication->getIdentity();
        if ($this->Authentication->stopImpersonating()) {
            $this->Flash->success(__('You are not impersonating {0} anymore.', $user->email));
        } else {
            $this->Flash->error(__('An error has occurred leaving impersonation. Please, try again.'));
        }
        return $this->redirect(['action' => 'index']);
    }
  1. Once active, impersonation stays active until session expires or user stops it.
  2. To stop impersonation app must implement an action like previous one which calls AuthenticationComponent::stopImpersonating. If you mean turn off (disable feature) I think it is not needed since it depends exclusively from devs calling feature in their code. We are not providing a user the ability to impersonate if developer does not add it to the controller layer.
ajibarra commented 2 years ago

@markstory I have merged your branch fix-build to be able to pass checks..Additionally I have fixed the php version missing in ci.yml