Merge pull request #273 from wintercms/wip/improved-impersonation

Impersonation improvements

modules/backend/assets/css/winter.css

@@ -586,6 +586,9 @@ body {font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sa
 .control-tabs.primary-tabs.tabs-no-inset >ul.nav-tabs,
 .control-tabs.primary-tabs.tabs-no-inset >div >ul.nav-tabs,
 .control-tabs.primary-tabs.tabs-no-inset >div >div >ul.nav-tabs {margin-left:0;margin-right:0}
+.global-notice{position:sticky;top:0;display:flex;align-items:center;flex-wrap:wrap;gap:0.5em;justify-content:space-between;z-index:10500;background:#ab2a1c;color:#FFF;padding:0.5em 0.75em}
+.global-notice .notice-icon{font-size:1.5em;vertical-align:bottom;display:inline-block;margin-right:.25em}
+.global-notice .notice-text{display:inline-block;vertical-align:middle}
 .layout {display:table;table-layout:fixed;height:100%;width:100%}
 .layout >.layout-row {display:table-row;vertical-align:top;height:100%}
 .layout >.layout-row >.layout-cell {display:table-cell;vertical-align:top;height:100%}

modules/backend/lang/en/lang.php

@@ -47,7 +47,7 @@ return [
         'impersonate_confirm' => 'Are you sure you want to impersonate this user? You can revert to your original state by logging out.',
         'impersonate_success' => 'You are now impersonating this user',
         'impersonate_working' => 'Impersonating...',
-        'impersonating' => 'Impersonating :full_name',
+        'impersonating' => 'You are temporarily logged in as :impersonatee. Logs are still able to identify you as :impersonator',
         'stop_impersonating' => 'Stop impersonating',
         'unsuspend' => 'Unsuspend',
         'unsuspend_confirm' => 'Are you sure you want to unsuspend this user?',

modules/backend/layouts/default.htm

@@ -6,6 +6,23 @@
     </head>
     <body class="<?= $this->bodyClass ?>">
         <div id="layout-canvas">
+            <?php if (\BackendAuth::isImpersonator()) : ?>
+                <div class="global-notice">
+                    <div class="notice-content">
+                        <span class="notice-text">
+                            <span class="notice-icon wn-icon icon-exclamation-triangle"></span>
+                            <?= e(trans('backend::lang.account.impersonating', [
+                                'impersonator' => \BackendAuth::getImpersonator()->email,
+                                'impersonatee' => \BackendAuth::getUser()->email,
+                            ])); ?>
+                        </span>
+                    </div>
+                    <a href="<?= Backend::url('backend/auth/signout') ?>" class="notice-action btn btn-secondary">
+                        <?= e(trans('backend::lang.account.stop_impersonating')) ?>
+                    </a>
+                </div>
+            <?php endif; ?>
+
             <div class="layout">
 
                 <!-- Main Menu -->

modules/backend/models/User.php

@@ -209,4 +209,66 @@ class User extends UserBase
     {
         BackendAuth::findThrottleByUserId($this->id)->unsuspend();
     }
+
+    //
+    // Impersonation
+    //
+
+    /**
+     * Returns an array of merged permissions based on the user's individual permissions
+     * and their group permissions filtering out any permissions the impersonator doesn't
+     * have access to (if the current user is being impersonated)
+     *
+     * @return array
+     */
+    public function getMergedPermissions()
+    {
+        if (!$this->mergedPermissions) {
+            $permissions = parent::getMergedPermissions();
+
+            // If the user is being impersonated filter out any permissions the impersonator doesn't have access to already
+            if (BackendAuth::isImpersonator()) {
+                $impersonator = BackendAuth::getImpersonator();
+                if ($impersonator && $impersonator !== $this) {
+                    foreach ($permissions as $i => $permission) {
+                        if (!$impersonator->hasAccess($permission)) {
+                            unset($permissions[$i]);
+                        }
+                    }
+                    $this->mergedPermissions = $permissions;
+                }
+            }
+        }
+
+        return $this->mergedPermissions;
+    }
+
+    /**
+     * Check if this user can be impersonated by the provided impersonator
+     * Super users cannot be impersonated and all users cannot be impersonated unless there is an impersonator
+     * present and the impersonator has access to `backend.impersonate_users`, and the impersonator is not the
+     * user being impersonated
+     *
+     * @param \Winter\Storm\Auth\Models\User|false $impersonator The user attempting to impersonate this user, false when not available
+     * @return boolean
+     */
+    public function canBeImpersonated($impersonator = false)
+    {
+        if (
+            $this->isSuperUser() ||
+            !$impersonator ||
+            !($impersonator instanceof static) ||
+            !$impersonator->hasAccess('backend.impersonate_users') ||
+            $impersonator === $this
+        ) {
+            return false;
+        }
+
+        // Clear the merged permissions before the impersonation starts
+        // so that they are correct even if they had been loaded prior
+        // to the impersonation starting
+        $this->mergedPermissions = null;
+
+        return true;
+    }
 }

modules/cms/models/ThemeLog.php

@@ -87,7 +87,7 @@ class ThemeLog extends Model
         $record->content = $isDelete ? '' : $newContent;
         $record->old_content = $oldContent;
 
-        if ($user = BackendAuth::getUser()) {
+        if ($user = BackendAuth::getRealUser()) {
             $record->user_id = $user->id;
         }