From 3988b5407ec7cd57f3f52d08dfdbf1ab65a0e957 Mon Sep 17 00:00:00 2001
From: Leo Feyer <github@contao.org>
Date: Fri, 27 Mar 2020 17:05:41 +0100
Subject: [PATCH] Disable the "switch user" button if it would impersonate the
 original user (see #1581)

Description
-----------

| Q                | A
| -----------------| ---
| Fixed issues     | Fixes #1409
| Docs PR or issue | -

Commits
-------

05eab413 Disable the "switch user" button if it would impersonate the original user
---
 composer.json                                 |  1 +
 core-bundle/composer.json                     |  1 +
 .../src/Resources/contao/dca/tl_user.php      | 35 +++++++++++++++++--
 manager-bundle/composer.json                  |  3 +-
 4 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/composer.json b/composer.json
index d6a9f9fc200..10f8d9c91cd 100644
--- a/composer.json
+++ b/composer.json
@@ -138,6 +138,7 @@
         "contao/manager-plugin": "<2.0 || >=3.0",
         "doctrine/persistence": "1.3.2",
         "symfony/config": "<4.4.2",
+        "symfony/security-bundle": "4.4.* <4.4.5",
         "terminal42/contao-ce-access": "<3.0",
         "zendframework/zend-code": "<3.3.1"
     },
diff --git a/core-bundle/composer.json b/core-bundle/composer.json
index 523d570f316..d93bcbf28fd 100644
--- a/core-bundle/composer.json
+++ b/core-bundle/composer.json
@@ -110,6 +110,7 @@
         "contao/core": "*",
         "contao/manager-bundle": "4.5.* <4.5.2",
         "contao/manager-plugin": "<2.0 || >=3.0",
+        "symfony/security-bundle": "4.4.* <4.4.5",
         "terminal42/contao-ce-access": "<3.0"
     },
     "require-dev": {
diff --git a/core-bundle/src/Resources/contao/dca/tl_user.php b/core-bundle/src/Resources/contao/dca/tl_user.php
index fd6af32977c..789833e464f 100644
--- a/core-bundle/src/Resources/contao/dca/tl_user.php
+++ b/core-bundle/src/Resources/contao/dca/tl_user.php
@@ -470,6 +470,11 @@
  */
 class tl_user extends Contao\Backend
 {
+	/**
+	 * @var int
+	 */
+	private static $origUserId;
+
 	/**
 	 * Import the back end user object
 	 */
@@ -700,14 +705,40 @@ public function deleteUser($row, $href, $label, $title, $icon, $attributes)
 	 */
 	public function switchUser($row, $href, $label, $title, $icon)
 	{
-		$authorizationChecker = Contao\System::getContainer()->get('security.authorization_checker');
+		$security = Contao\System::getContainer()->get('security.helper');
 
-		if (!$authorizationChecker->isGranted('ROLE_ALLOWED_TO_SWITCH') || $authorizationChecker->isGranted('ROLE_PREVIOUS_ADMIN'))
+		if (!$security->isGranted('ROLE_ALLOWED_TO_SWITCH'))
 		{
 			return '';
 		}
 
+		$disabled = false;
+
 		if ($this->User->id == $row['id'])
+		{
+			$disabled = true;
+		}
+		elseif ($security->isGranted('ROLE_PREVIOUS_ADMIN'))
+		{
+			if (self::$origUserId === null)
+			{
+				/** @var Symfony\Component\Security\Core\Authentication\Token\TokenInterface $origToken */
+				$origToken = $security->getToken()->getOriginalToken();
+				$origUser = $origToken->getUser();
+
+				if ($origUser instanceof Contao\BackendUser)
+				{
+					self::$origUserId = $origUser->id;
+				}
+			}
+
+			if (self::$origUserId == $row['id'])
+			{
+				$disabled = true;
+			}
+		}
+
+		if ($disabled)
 		{
 			return Contao\Image::getHtml(preg_replace('/\.svg$/i', '_.svg', $icon)) . ' ';
 		}
diff --git a/manager-bundle/composer.json b/manager-bundle/composer.json
index 09b3d59e87b..05b0ac3b07f 100644
--- a/manager-bundle/composer.json
+++ b/manager-bundle/composer.json
@@ -63,7 +63,8 @@
         "symfony/phpunit-bridge": "4.4.*"
     },
     "conflict": {
-        "symfony/config": "<4.4.2"
+        "symfony/config": "<4.4.2",
+        "symfony/security-bundle": "4.4.* <4.4.5"
     },
     "suggest": {
         "contao/tcpdf-bundle": "To export articles as PDF files"