Administrator should be able to impersonate any user
Closed this issue · 11 comments
This should be helpful so administrator can quickly login as any user account for testing permission and setting. Many great software offer such feature for example gitlab,....
This is not going to create any security issue because administrator can do that if they want at moment but they have to reset user's password.
@onlinebizsoft This might be convenient but definitely a security issue. Resetting password lets the user know that Admin has changed the password.
The Administrator can change a user's password without letting the user know in any one of a number of different ways... the Administrator is already all-powerful so this is not, I think, a security issue. The Administrator can already change the database to make it look like someone else did something, and access all the data on the system (assuming they have console access, but as Administrator I suspect they could gain that fairly easily even if they didn't already, since certain DocTypes cause the execution of arbitrary Python).
.. certain DocTypes cause the execution of arbitrary Python ...
Any evidence of this?
Edit: To rephrase, 'certain DocTypes cause the execution of arbitrary Python' is a bit misleading.
You can run arbitrary JS in client browsers via Custom Script, which is not that useful but could let you do other nefarious things.
To get to the Python, you can write a Print Format, for example, which run Python code via Jinja2 and while there are some restrictions on it I would be very surprised if you couldn't break out of it fairly easily.
If you just want to change the version history, you can use the Bulk Update tool to change the owner of documents and the Version history.
I think that Admin should have ability to become another user.
It is bestway for testing
- user based functionality
- check bugs which users reported
- check permissions issues
Now it is hard to check what exactly user see. It is not only about document access. I want check if he can see some buttons and etc....And only way how can i do that for now is create user with same permissions and roles (but this is not possible because of user based permissions). And if we have 30 - 40 roles in system, it is hard to create Test user for each role combination.
And about point that this is security issue. I dont think that. It depends on way how we will do it.
It should be able only for Administrators to impersonate specific user from admin area.( not by some SUPER password - this would be security issue)
I think it's a pretty important feature for admins.
Nextcloud has had it for a long time (and we use it frequently):
https://www.youtube.com/watch?v=wup_HzTv0LM
The function could be made better by notifying the impersonated user by email each time admin initiates and closes an impersonation session. If implementing that, then you would probably also want to notify user of any email address changes/upates. (i.e. if user email changed by admin, send users $oldemail an email telling them that user $username has changed their email address to $newemail).
This is probably good practice for email changes/updates anyway, but would add another layer of maliciousness for an evil admin to have to intentionally jump through to impersonate a user without their authorization.
We already implemented this in custom app....
JS code:
frappe.ui.form.on('User', {
refresh: function(frm, cdt, cdn) {
if(frappe.session.user === 'Administrator') {
frm.add_custom_button(__("Impersonate"), function () {
frappe.call({
method: custom_app.impersonate.impersonate',
args: {
user: frm.doc.name,
},
callback: function (r) {
frappe.show_alert({message: r.message, indicator: 'green'});
location.reload(true);
}
})
});
}
},
});
PY function:
@frappe.whitelist()
def impersonate(user):
if frappe.session.user == "Administrator" or "System Manager" in frappe.get_roles():
clear()
frappe.local.login_manager.login_as(user)
return "impersonated as:" + str(user)
A custom app to add impersonation to v13. Inspired by @janecekmato
A custom app to add impersonation to v13. Inspired by @janecekmato
Great Work