0020772: Allow administrators to impersonate users - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0020772	mantisbt	administration	public	2016-03-31 21:52	2017-11-28 12:32

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	feature	Reproducibility	N/A
Status	closed	Resolution	fixed
Product Version	1.3.0-rc.1
Target Version	1.3.0-rc.2	Fixed in Version	1.3.0-rc.2

Summary	0020772: Allow administrators to impersonate users
Description	There are multiple scenarios where user impersonation is a useful feature. For examples: When an administrator is troubleshooting an error reported by one of the users. When an administrator wants to verify what issues/projects are and are not visible to specific user. When a user creates an (service) account and wants to create an API key for such account. Any user with the access of managing users, should be able to do the above. Hence, instead of specifically checking for "administrator" access level, use the config option 'manage_user_threshold'.
Tags	mantishub

vboctor 2016-03-31 21:59 manager ~0052895	PR: https://github.com/mantisbt/mantisbt/pull/749

dregad 2016-04-01 06:23 developer ~0052896	I agree this would be a useful feature, particularly in a user support context (cases 1 & 2). Any user with the access of managing users, should be able to do the above. Hence, instead of specifically checking for "administrator" access level, use the config option 'manage_user_threshold'. There is a potentially sensitive security aspect to this, and as an admin I may want to delegate user management without letting them impersonate others. It may therefore be more appropriate to have a dedicated setting to control this privilege.

vboctor 2016-04-02 23:03 manager ~0052901	I've added a separate configuration option for the impersonation threshold defaulted to ADMINISTRATOR. So administrator can set it to lower threshold or NOBODY.

MantisBT: master 9ee63231 2016-03-31 17:53 vboctor Details Diff	Allow administrators to impersonate users There are multiple scenarios where user impersonation is a useful feature. For example: 1. When an administrator is troubleshooting an error reported by one of the users. 2. When an administrator wants to verify what issues/projects are and are not visible to specific user. 3. When a user creates an (service) account and wants to create an API key for such account. Any user with the access of managing users, should be able to do the above. Hence, instead of specifically checking for "administrator" access level, use the config option 'manage_user_threshold'. Fixes 0020772		Affected Issues 0020772
	mod - core/authentication_api.php		Diff File
	mod - lang/strings_english.txt		Diff File
	mod - manage_user_edit_page.php		Diff File
	add - manage_user_impersonate.php		Diff File
MantisBT: master 650ceb18 2016-04-01 15:22 vboctor Details Diff	Add 'Impersonate User' to user view page - Added the impersonate button to user view page. - Added some impersonation APIs for access checks and used them - Change location of 'Impersonate User' button on manage user page. Fixes 0020772		Affected Issues 0020772
	mod - core/authentication_api.php		Diff File
	mod - manage_user_edit_page.php		Diff File
	mod - view_user_page.php		Diff File
MantisBT: master c711645c 2016-04-01 18:39 vboctor Details Diff	Add 'impersonate_user_threshold' config option Add a configuration option to control the threshold needed to be able to impersonate other users. Fixes 0020772		Affected Issues 0020772
	mod - config_defaults_inc.php		Diff File
	mod - core/authentication_api.php		Diff File
	mod - docbook/Admin_Guide/en-US/Configuration.xml		Diff File
	mod - docbook/Admin_Guide/en-US/User_Management.xml		Diff File
	add - docbook/Admin_Guide/en-US/config/user.xml		Diff File