From 306668e74aa65d868520a1a0885e8c8ac2f9c7da Mon Sep 17 00:00:00 2001
From: Herb <herb@3speedhub.com>
Date: Thu, 20 Feb 2025 22:49:07 -0500
Subject: [PATCH] Issue #18: pre-check access on user lists (#19)

---
 masquerade.module | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/masquerade.module b/masquerade.module
index c0e085c..cb211d6 100644
--- a/masquerade.module
+++ b/masquerade.module
@@ -623,6 +623,7 @@ function masquerade_block_1() {
   }
   else {
     $quick_switches = $config->get('quick_switches');
+    $admin_roles = array_filter($config->get('admin_roles'));
 
     // Add in user-specific switches, and prevent duplicates.
     $user_switches = db_query("SELECT uid_to FROM {masquerade_users} WHERE uid_from = :uid_from", array(':uid_from' => $user->uid))->fetchCol();
@@ -633,7 +634,10 @@ function masquerade_block_1() {
         $account = user_load($switch_user);
         if (isset($account->uid)) {
           $switch_link = 'masquerade/switch/' . $account->uid;
-          if ($account->uid) {
+          $perm = $user->uid == 1 || array_intersect((array) $account->roles, $admin_roles) ?
+            'masquerade as admin' :
+            'masquerade as user';
+          if ($account->uid && user_access($perm)) {
             $quick_switch_links[] = l($account->name, $switch_link, array('query' => array('token' => backdrop_get_token($switch_link))));
           }
           if ($switch_user == 0) {
@@ -745,6 +749,11 @@ function masquerade_block_1_submit($form, &$form_state) {
  */
 function masquerade_autocomplete($string) {
   $config = config('masquerade.settings');
+
+  // Check if user qualifies as admin.
+  $admin_roles = array_filter($config->get('admin_roles'));
+  global $user;
+
   $matches = array();
   // Anonymous user goes first to be visible for user.
   $anonymous = t(config_get('system.core', 'anonymous'));
@@ -752,11 +761,17 @@ function masquerade_autocomplete($string) {
     $matches[$anonymous] = $anonymous;
   }
   // Other suggestions.
-  $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER(:string)", 0, 10, array(
+  $result = db_query_range("SELECT uid, name FROM {users} WHERE LOWER(name) LIKE LOWER(:string)", 0, 10, array(
     ':string' => $string . '%',
   ));
-  foreach ($result as $user) {
-    $matches[$user->name] = check_plain($user->name);
+  foreach ($result as $switch_user) {
+    $account = user_load($switch_user->uid);
+    $perm = $user->uid == 1 || array_intersect((array) $account->roles, $admin_roles) ?
+      'masquerade as admin' :
+      'masquerade as user';
+    if (user_access($perm)) {
+      $matches[$account->name] = check_plain($account->name);
+    }
   }
   if (module_exists('devel')) {
     $GLOBALS['devel_shutdown'] = FALSE;