Disable the "switch user" button if it would impersonate the original…

… user (see #1581) Description ----------- | Q | A | -----------------| --- | Fixed issues | Fixes #1409 | Docs PR or issue | - Commits ------- 05eab41 Disable the "switch user" button if it would impersonate the original user
contao · Mar 27, 2020 · 3988b54 · 3988b54
1 parent 0f1f735
commit 3988b54
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 3 deletions.
diff --git a/composer.json b/composer.json
@@ -138,6 +138,7 @@
         "contao/manager-plugin": "<2.0 || >=3.0",
         "doctrine/persistence": "1.3.2",
         "symfony/config": "<4.4.2",
+        "symfony/security-bundle": "4.4.* <4.4.5",
         "terminal42/contao-ce-access": "<3.0",
         "zendframework/zend-code": "<3.3.1"
     },

diff --git a/core-bundle/composer.json b/core-bundle/composer.json
@@ -110,6 +110,7 @@
         "contao/core": "*",
         "contao/manager-bundle": "4.5.* <4.5.2",
         "contao/manager-plugin": "<2.0 || >=3.0",
+        "symfony/security-bundle": "4.4.* <4.4.5",
         "terminal42/contao-ce-access": "<3.0"
     },
     "require-dev": {

diff --git a/core-bundle/src/Resources/contao/dca/tl_user.php b/core-bundle/src/Resources/contao/dca/tl_user.php
@@ -470,6 +470,11 @@
  */
 class tl_user extends Contao\Backend
 {
+	/**
+	 * @var int
+	 */
+	private static $origUserId;
+
 	/**
 	 * Import the back end user object
 	 */
@@ -700,14 +705,40 @@ public function deleteUser($row, $href, $label, $title, $icon, $attributes)
 	 */
 	public function switchUser($row, $href, $label, $title, $icon)
 	{
-		$authorizationChecker = Contao\System::getContainer()->get('security.authorization_checker');
+		$security = Contao\System::getContainer()->get('security.helper');
 
-		if (!$authorizationChecker->isGranted('ROLE_ALLOWED_TO_SWITCH') || $authorizationChecker->isGranted('ROLE_PREVIOUS_ADMIN'))
+		if (!$security->isGranted('ROLE_ALLOWED_TO_SWITCH'))
 		{
 			return '';
 		}
 
+		$disabled = false;
+
 		if ($this->User->id == $row['id'])
+		{
+			$disabled = true;
+		}
+		elseif ($security->isGranted('ROLE_PREVIOUS_ADMIN'))
+		{
+			if (self::$origUserId === null)
+			{
+				/** @var Symfony\Component\Security\Core\Authentication\Token\TokenInterface $origToken */
+				$origToken = $security->getToken()->getOriginalToken();
+				$origUser = $origToken->getUser();
+
+				if ($origUser instanceof Contao\BackendUser)
+				{
+					self::$origUserId = $origUser->id;
+				}
+			}
+
+			if (self::$origUserId == $row['id'])
+			{
+				$disabled = true;
+			}
+		}
+
+		if ($disabled)
 		{
 			return Contao\Image::getHtml(preg_replace('/\.svg$/i', '_.svg', $icon)) . ' ';
 		}

diff --git a/manager-bundle/composer.json b/manager-bundle/composer.json
@@ -63,7 +63,8 @@
         "symfony/phpunit-bridge": "4.4.*"
     },
     "conflict": {
-        "symfony/config": "<4.4.2"
+        "symfony/config": "<4.4.2",
+        "symfony/security-bundle": "4.4.* <4.4.5"
     },
     "suggest": {
         "contao/tcpdf-bundle": "To export articles as PDF files"