user_masquerade? not working as expected (and it goes terribly wrong)
KevinBerthier opened this issue · comments
I had a case in production where a user was logged as an other (admin) account.
After investigation in version 1.3.2, the helper user_masquerade? returns true for ALL logged users when masquerade is used
That means :
if user_masquerade?
= link_to "Reverse masquerade", back_masquerade_path(current_user)
shows back link for ALL logged users
The most funny part ? If any user clicks this link he become logged as the user who used masquerade (in our case an admin user..)
Hi @KevinBerthier . Please give a try to install 1.3.4 version and write back in case it is working for you better. it looks like it's pretty scary issue, thank you for reporting.
@KevinBerthier let's wait better. Going to test properly in the evening and write back in thread.
Hello. Is there any solution for this issue? I met a similar issue here, but user_masquerade? always false on my side. I updated the gem to 1.3.5 but still met the issue.
Hi @zoe0119 and @KevinBerthier. Please give a try 1.3.6 version.
Hi, I just installed Masquerade (v. 1.3.6 with Devise 4.7.2) for the first time this afternoon, and am able to Login as another user (super helpful!!), BUT am having the same problem where user_masquerade? is returning False once I'm masquerading as that user....which means the app can't display a Return to Current User link, like so:
<% if user_masquerade?%>
<nav>
<%= link_to "Reverse masquerade", back_masquerade_path(current_user)%>
</nav>
<% end %>
If I take the link out of the IF block, it will throw a RuntimeError...
Any help appreciated, and THANK YOU for making such a handy gem!
H
Thank you @oivoodoo. As I tried last week, I rolled it back to 1.2.0. Then I noticed user_masquerade? works, but it always masquerades as myself. It seems the current_user is not changed after masquerading.
Interesting thing is, this issue has only happened in the local, but for production, (most time) it works well with 1.3.3.
I will try 1.3.6 later.
user_masquerade? is still returning false for me on v 1.3.6 unfortunately
Same issue, I am stuck with the outdated 0.3.0 because of that
Still seeing issues on 1.3.8, had to revert to 1.2.0
@Andy-Bell could you describe the issues? I ve just recently integrated to the new project with the simple user model and it works . cached enabled
When masquerading in as an account, account_masquerade? returns false
Will see if I can create a minimal replicated project later
I am having the same problem on 1.3.8, it seems -- account_masquerade? is always false. @oivoodoo any idea what might be happening?
The behaviour might have stopped manifesting itself after running rails dev:cache. Not 100% sure, though.
Since v1.3.1 (cf0e152) and up to at least v1.3.8, in order for user_masquerade? to work, you need caching turned on.
Without caching turned on, this line in the #{name}_masquerades? method will fail...
...and you'll get false every time.
With caching turned on, user_masquerade? works as expected.
In Rails 6, to turn on caching in development mode, you run rails dev:cache. This creates a file named tmp/caching-dev.txt and is used by development.rb to use a :memory_store cache (by default). Running rails dev:cache again will turn off caching by removing the tmp/caching-dev.txt file. Restart your Rails server for changes to take effect.
https://guides.rubyonrails.org/caching_with_rails.html#caching-in-development
At runtime, you can see if your cache is on using this...
Rails.application.config.action_controller.perform_caching # should return true
In the Troubleshooting section of the README it does mention how to turn caching on in development, but it doesn't mention that not turning it will stop user_masquerade? from working.
It seems that this still doesn't work in development with caching enabled if you use redis_cache_store via hiredis. I'm assuming that it would also not work in production with this setup.
But, considering the possible security issues listed here, I'm not willing to push to production to test it out.
@orangedsoft Hi. not sure why it doesnt work for you in dev, you can take a look to the spec dummy app. it is dead simple
I'm also experiencing something similar. It seems like it's an issue with assigning the current_user or current_admin_user. Last working version for us is 1.3.1 on devise 4.8 & 4.7
I am also facing the same issue for latest version 1.3.9 .It is not working for me even after caching turned on. The last version on which it is working fine is 1.3.0
Hello, I have added version 1.3.9 to my project and also enabled caching in dev mode. However, the "user_masquerade?" always returns false. Does anyone have a solution ?
@orangedsoft Hi. not sure why it doesnt work for you in dev, you can take a look to the spec dummy app. it is dead simple
@Blaxxker as you can see, @oivoodoo thinks it's dead simple. my team ended up forking and fixing it on our end to meet our needs. I'll see if I can find it, it's been a while.
@ecpantalone That would be very nice. Thanks very much
@Blaxxker @ecpantalone Hi. I will appreciate it if you share the fix
Hi @KevinBerthier you were originally having the issue with user_masquerade? method. Did you have the problem with the lastest version?
@oivoodoo sorry but we uninstalled the gem as it was too risky to use in production for us
@KevinBerthier sounds ok. I will close it in this case
I installed the latest version of this gem, but user_masquerade? helper is always returning "false"
you should run rails dev:cache to toggle cache "on" in order to make it work but this is weird hack/fix!!! in my opinion a gem should just work without any constraint for dev/prod
@oivoodoo We are looking for a user switch feature too but struggled with this one because of the dependence on the cache. Usually the development environment is run without cache and I would expect any Gem to be able to cope with that. Is there any chance that the Gem could be adapted to run without cache too?
I don't understand why this issue has been closed. I think based on this #82 (comment) comment and this commit cf0e152, we should do the following:
- if the cache is enabled, use the cache to store / retrieve relevant information
- if the cache is not enabled, fallback to the previous strategy, store / retrieve relevant information in the session
?
@thromera Hi. Do you have enabled cache in production? if yes, is it default behaviour for Rails to enable cache in production?
session is unsafe place to store information about the user at all. it’s the reason to have it as primary storage. Not sure why it could be the issue in development to keep tmp/cache file.
I'm talking about the development environment. Not all developers have nor want to enable cache maybe?
session is unsafe place to store information about the user at all. it’s the reason to have it as primary storage. Not sure why it could be the issue in development to keep tmp/cache file.
To activate cache in development is just unusual in our case. Furthermore we usually don't want to enable cache in dev because we want to see the things we work on.
As we had problems even on production because the user switch logged out the user in some cases or some time (probably at the third user switch) we chose another solution: Gem pretender is really easy to implement and safe to use and very popular.