I'm building a system in Codeigniter 3.
Now as an admin user, i want to have the ability to login as a customer, so basically see what they see when they login.
Is it possible to manipulate the session within Codeigniter to allow an admin user to login to a different users account?
Thanks
I think it's question of how you build your app. I would make a switch which sets the session variable - f.e. "see_as_user" = 1, and than on the layout check this variable. Basically you should take control over what user sees.
Related
I'm trying to figure out how quickest and easiest to allow the admin user on the site I'm building to access and update any user's settings etc. E.g. I've written the code for a regular user to update their settings (and various other actions). Ideally I want an admin to be able to "be" that user as far as my code is concerned, i.e. allow the admin to do anything a user can, to that user's account. Is there any way of doing this?
If I Auth::login() as admin then from the point of view of Laravel I'm the admin user and not the user they might want to edit. If I login as the user then I don't have admin rights (which in my case means an extra admin menu on the navbar with options to suspend or delete the user, or search for other users).
Any thoughts on how to do this please, or am I overcomplicating things? I am looking for a specific functions/code to allow this, rather than a general strategy. I'm using Laravel 5.4, deployed on Heroku. I know there's middleware but it doesn't seem to do what I want as above.
Many thanks.
You could do as suggested in the above comment by Tim Lewis, or you could accept an "override" property in the user edit page where you can pass a specific user ID and then view the page as that user. For instance, the method might look like this:
public function editUser(User $user=null) {
//User that you want to edit can be provided. If not provided, $user will be null and we will load the user that is currently logged in.
if($user!=null && Auth::user()->role=='admin')
$user_to_edit = $user;
else
$user_to_edit = Auth::user();
//other code goes here
}
Then, if you pass a $user object to the method, you will be given the edit page for that user, rather than the Admin. Otherwise, a user will be able to use the same route in order to always view their own edit page.
Be very careful with code like this! You will want to make sure that non-admins do not have the ability to load in a user object and see somebody else's information. That's why I added the $user->role check in the if/else statement, but you might want to add extra security in the form of middleware.
spatie permissions is a wonderful package that I use to make permissions to resources available to super-administrators. https://github.com/spatie/laravel-permission
I use two different applications in my CI installation. The first is called "admin"... obviously an admin panel. The second is "frontend" where everything else is. I use the same database for each of the apps and the same member tables, both for admin authentication and member auth. The problem is, since the CI session class doesn't use native PHP sessions, the session only works in the application that it is set in(which makes sense)... for example, if a user that is indeed an admin logs into the system through the frontend app and then clicks the link to the admin app, they are required to login again. If they have the "Remember Me" option selected across when they login to both apps, this obviously isn't a problem.
How would I fix this? Or do you guys think it's better to have them login to the admin app again, just to validate their admin status again?
Thanks for your time.
You could use the native php session instead. There's a class which you can just copy paste, and you'll not have to change any of the rest of your code.
I'm very new to ion-auth so apologies in advance if this is a dumb question.
I have a feature request from a user (an admin) where they would like to be able to switch into another user's account to see the app from their point of view. The use-case here is that the admin would find the user in question's account in our user admin page in the app, then click a button to effectively 'become' that user.
Any ideas how this would be achieved?
Many thanks
Pete
#Pete,
What you're asking for is what is sometimes called "hijacking" the account.
There isn't currently a feature for that, but essentially what you need to do is:
1) destroy the current session
2) rebuild the session as the user you want to highjack
3) make sure the logged_in session variable is also set.
Passwords are all hashed, but I think it would be pretty straightforward to write a login function for yourself that doesn't go through the password hashing as part of the login steps.
In other words,
1) log out
2) look up the user id's username & password
3) login directly with that password, not a hashed version
Of course, you'll want to be very careful about your security
You need to alter the users_groups table adding a "status" field, in order to set true/false the current user_group.
Then, upgrade the model with a function that makes the following:
Get the current group and sets his status to false.
Get the new group and set his state to true.
Redirect to home page of selected group.
With this change, you can regenerate all the user`s data session and navigate as the selected user.
The situation is quite complicated and why do I need it - do not ask - boss want!
So, immediately after the default authorization i need to run the custom module, which will have an additional test for authorization in another database and depending on its result i need to decide authorize user or not.
Are there any suggestions except for source corrections?
If you are using Joomla's built-in 'Login Menu', you can set 'Login Redirect' parameter to another page and if you are using Joomla's native login module, you can set redirect parameter to any page of your site that you want.
In your case I would recommend to create a simple component (not a module) that authorizes your user for second time, and redirects them again to any other page that you want (if second login was successful) or kick the user (if second login was unsuccessful). If you do that, you'll be able to create a menu for your component and redirect your login panel (either it's a menu or a simple login module) to your component's menu.
Creating components for Joomla is not a big deal if you have a little of knowledge in php programming and there are some tools that may speed up creating your component, like this one: http://www.notwebdesign.com/joomla-component-creator/
Why not make an authentication plugin and use that rather than the core joomla one?
This is for 1.5 but the principles are the same now.
http://docs.joomla.org/Creating_an_Authentication_Plugin_for_Joomla_1.5
Are the Joomla login credentials for a user the same as the other system that you are using? If so, then you can create a plugin that passes those credentials to your other system on a successful Joomla login event.
If not, then it gets a little tricky. Either your users will have to provide both sets of credentials, once for Joomla that then redirects to your other system for the second login, or you will have to extend your user accounts so you can associate the second set of credentials to a user. You can then use a plugin to pass the related credentials to your secondary system after a successful Joomla login event.
I am wanting to build an admin tool where I can "impersonate" users of my site, without having to lose my session as an admin.
I would like to be able to open an iframe that will view the website "as the user", without changing the state of the page that opened the iframe.
Is that possible? Is there a better way to do this?
It's possible, but there's a bit "but" :)
Just a couple options to start with:
Use URL-based session tokens (as Java Servlets do when you have cookies disabled)
Use different domains for "normal" site and admin interface
iframe itself won't help you much: it will always share its cookies with the browser. So in order to avoid that, you can use either of the above options—but that does not depend on the iframe.
What language? My answer is based on the assumption that PHP is your chosen language.
Firstly, I would say you have planned your application wrong if session impersonation is the only way you can view your site as another user while still keeping your admin login intact.
One way you could do it, and again this is assuming that you are using PHP as well as the default session management functions within and you do not have a custom session handler would be to load the iframe url with the ?PHPSESSID=sessionidhere parameter.
A better way to do this is to create your site and authenticate users via a user object of sorts and then add some sort of url parameter such as ?userbrowseid=123
Then when you load the page, your code will only check if the parameter exists if you are already logged in as an admin. The page would then overwrite your current user object with the user object of the user with the id 123. Steps should be taken to make sure your session cookies are not overwridden with the impersonated user object. As this would be in an iframe, your site will work as an admin and the iframe will be loaded as the user object.