Loosing true_user
jamsi opened this issue · 5 comments
We seem to be experiencing an issue where (quite magically) the true_user is lost and our admin staff suddenly just "become" the user. Perhaps the session timing out?
Any ideas what could be causing this?
Which authentication framework do you use?
Devise.
On Thu, Feb 12, 2015 at 7:21 PM, Andrew Kane notifications@github.com
wrote:
Which authentication framework do you use?
Reply to this email directly or view it on GitHub:
#5 (comment)
Nice gem, but I have the same issue. Browsing (viewing) impersonated users seems to work ok, but if I attempt to edit a user-setting, I suddenly become that user. HEre is what I know.
I am using Devise with a custom registrations controller.
# routes.rb
devise_for :users, :controllers => { :registrations => "registrations" }
In that registrations_controller, I am attempting to let a user (real or impersonated) change various settings without entering a password. (The exceptions are the password field itself.) HEre is the excerpt from the registrations_controller.
def update_resource(resource, params)
if (not params[:password].blank?) or (not params[:password_confirmation].blank?)
resource.update_with_password(params)
else
resource.update_without_password(params)
end
If I impersonate a user and then change a non-password setting, I am suddenly that user. Something to do with devise ...
end
I realize this is a necro, but since it isn't closed, others may find their way here.
Devise logs you out when editing "your own" details. Since you're impersonating "User 12" when you edit the user setting, Devise seems to log out everything.
You need to (re)sign_in (all) the user(s) after making the change.
See
sign_in @user, bypass: true
Thanks for the explanation @ShadowRadiance