FEATURE: allow site owners to disable impersonation (#20783)

Site owners can now disable impersonation using the global setting
`allow_impersonation` (Eg: DISCOURSE_ALLOW_IMPERSONATION: false)

see:

https://meta.discourse.org/t/thoughts-about-impersonate-user/258795
This commit is contained in:
Sam 2023-03-23 15:16:05 +11:00 committed by GitHub
parent 4fe79ccc79
commit d87e78616d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 2 deletions

View File

@ -373,4 +373,7 @@ pg_force_readonly_mode = false
dns_query_timeout_secs = dns_query_timeout_secs =
# Default global regex timeout # Default global regex timeout
regex_timeout_seconds = regex_timeout_seconds =
# Allow impersonation function on the cluster to admins
allow_impersonation = true

View File

@ -297,7 +297,7 @@ class Guardian
# Can we impersonate this user? # Can we impersonate this user?
def can_impersonate?(target) def can_impersonate?(target)
target && GlobalSetting.allow_impersonation && target &&
# You must be an admin to impersonate # You must be an admin to impersonate
is_admin? && is_admin? &&
# You may not impersonate other admins unless you are a dev # You may not impersonate other admins unless you are a dev

View File

@ -539,6 +539,10 @@ RSpec.describe Guardian do
end end
describe "can_impersonate?" do describe "can_impersonate?" do
it "disallows impersonation when disabled globally" do
global_setting :allow_impersonation, false
expect(Guardian.new(admin).can_impersonate?(moderator)).to be_falsey
end
it "allows impersonation correctly" do it "allows impersonation correctly" do
expect(Guardian.new(admin).can_impersonate?(nil)).to be_falsey expect(Guardian.new(admin).can_impersonate?(nil)).to be_falsey
expect(Guardian.new.can_impersonate?(user)).to be_falsey expect(Guardian.new.can_impersonate?(user)).to be_falsey