Feature request: make 'login as user' a permission (per user group)

[nilsenpaul]

Description

I would like one of my editors to be able to login as another user, but I do not want to make him an admin. Seems like this is now impossible. Would be great if you could set a permission for this, would be even better if this could be done per user group.

[brandonkelly]

An “Impersonate users” permission has just been added for the next 3.2 Beta release.

It doesn’t take user groups into account, however even if a user has that permission, a “Login as user” option will only show up for users with equal or fewer permissions assigned to them, so there’s no possibility of user impersonation being used as a permission escalation vector.

[moreguppy]

Hi @brandonkelly, I was going to create a new issue but this seems related?

Description

• I have 2 User Groups — Editor and Artist
• The Editor has permissions set to 'Impersonate User'
• I log in as the Editor and try to impersonate an Artist but I can't see the option in the dropdown menu on the User page in the backend
• However, as an Admin I can impersonate other users
• The 'Editor' User Group has more permissions checked than the 'Artist' User Group

Additional info

• Craft version: Craft Pro 3.3.14
• PHP version: 7.3.10
• Database driver & version: MySQL 5.7.26
• Plugins & versions: Amazon S3 (1.2.5), Bulk Edit (1.1.1), FeedMe (4.1.2), Redactor (2.4.0)

[brandonkelly]

@moreguppy if the artist has any permissions that the editor doesn’t have (either directly or via the user group), then impersonation wan’t be allowed. If you’re sure that’s the case, please send in your composer.json and composer.lock files, and a database backup, over to [email protected] and we can look into it from there.

[moreguppy]

@brandonkelly thanks for the help, that worked.

Perhaps under 'Impersonate Users' checkbox, there could be sub-checkboxes to pick which user groups they can impersonate?

[brandonkelly]

@moreguppy Part of the reason we didn’t give user group-specific permissions is, there’s still the possibility that a user has some permissions set directly on their account, so even if they are in the permitted user group, you may want them to be excluded from impersonation. Which would just add another layer of confusion like you had earlier. (“User A has permission to ‘Impersonate users’ and ‘Impersonate users in the Artists group’, and yet they still can’t impersonate my Artist user - WTF!”)

I think the pure permission-based approach should be fine. If you feel comfortable having User A impersonate User B, then you should also feel comfortable ensuring they have at least all the same permissions as User B in the first place.