Issue #18: pre-check access on user lists (#19)

backdrop-contrib · Feb 21, 2025 · 306668e · 306668e
1 parent 96e9c86
commit 306668e
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/masquerade.module b/masquerade.module
@@ -623,6 +623,7 @@ function masquerade_block_1() {
   }
   else {
     $quick_switches = $config->get('quick_switches');
+    $admin_roles = array_filter($config->get('admin_roles'));
 
     // Add in user-specific switches, and prevent duplicates.
     $user_switches = db_query("SELECT uid_to FROM {masquerade_users} WHERE uid_from = :uid_from", array(':uid_from' => $user->uid))->fetchCol();
@@ -633,7 +634,10 @@ function masquerade_block_1() {
         $account = user_load($switch_user);
         if (isset($account->uid)) {
           $switch_link = 'masquerade/switch/' . $account->uid;
-          if ($account->uid) {
+          $perm = $user->uid == 1 || array_intersect((array) $account->roles, $admin_roles) ?
+            'masquerade as admin' :
+            'masquerade as user';
+          if ($account->uid && user_access($perm)) {
             $quick_switch_links[] = l($account->name, $switch_link, array('query' => array('token' => backdrop_get_token($switch_link))));
           }
           if ($switch_user == 0) {
@@ -745,18 +749,29 @@ function masquerade_block_1_submit($form, &$form_state) {
  */
 function masquerade_autocomplete($string) {
   $config = config('masquerade.settings');
+
+  // Check if user qualifies as admin.
+  $admin_roles = array_filter($config->get('admin_roles'));
+  global $user;
+
   $matches = array();
   // Anonymous user goes first to be visible for user.
   $anonymous = t(config_get('system.core', 'anonymous'));
   if (stripos($anonymous, $string) === 0) {
     $matches[$anonymous] = $anonymous;
   }
   // Other suggestions.
-  $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER(:string)", 0, 10, array(
+  $result = db_query_range("SELECT uid, name FROM {users} WHERE LOWER(name) LIKE LOWER(:string)", 0, 10, array(
     ':string' => $string . '%',
   ));
-  foreach ($result as $user) {
-    $matches[$user->name] = check_plain($user->name);
+  foreach ($result as $switch_user) {
+    $account = user_load($switch_user->uid);
+    $perm = $user->uid == 1 || array_intersect((array) $account->roles, $admin_roles) ?
+      'masquerade as admin' :
+      'masquerade as user';
+    if (user_access($perm)) {
+      $matches[$account->name] = check_plain($account->name);
+    }
   }
   if (module_exists('devel')) {
     $GLOBALS['devel_shutdown'] = FALSE;