Impersonating a user

Biscuit · February 18, 2018, 4:29am

I clicked impersonate a user, as they requested assistance and I wanted to see what access they had. I also wanted to understand how impersonate a user worked and what it’s used for.

I expected to simply see the same screen options that user would see, but was surprised when the screen displayed a draft of a post they were writing. It was an innocent post, but I didn’t feel comfortable seeing this work in progress & tried to exit immediately to respect their privacy. But I didn’t know how! I closed the browser, but when I returned to the site, it opened as the impersonated user again. I ended up logging out as that user, without knowing if I was also logging out the real user.

The lack of “EXIT” button during impersonation was discussed in this thread in 2014:
https://meta.discourse.org/t/impersonating-user-and-then-returning-to-admin/19382

Feature suggestions:

Display a confirmation message when someone clicks impersonate providing an indication of what’s involved, as it’s a serious action to take.
Add an obvious Exit or Stop Impersonating button.
If you don’t want to do #2 above, consider displaying a banner at the top saying something like:
“Currently impersonating User XXXXX - (take this action) to stop impersonating”
There’s currently no UI guidance about how to exit impersonation.

notriddle · February 18, 2018, 4:31am

Impersonation is supposed to allow you to check for things like broken CSS; the act of adding a message somewhere would change that.

Biscuit · February 18, 2018, 4:35am

Good point. Perhaps an alternative is to explain how to exit before impersonation commences?

However it’s done, some form of UI guidance is required.

dalerka · February 18, 2018, 5:38am

On a related note: it would be great if the act of impersonation would be covered by audit log. Is it logged somewhere? How can I see if someone has impersonated my account?

codinghorror · February 18, 2018, 5:49am

Yes, Admin, logs, as usual.

Biscuit · February 18, 2018, 6:10am

Confirmed - it’s listed in the logs.

riking · February 18, 2018, 6:15am

It would probably be workable to have the button instead pop up a short explanatory dialog with [OK, color: danger] [Cancel] buttons. Could be entirely client-side.

Impersonating blah blah acts as if you are logged in as that user. It can be useful when a member is experiencing odd behavior or you need to check their permissions.
To exit, use the “Log Out” button in the user menu.

Topic		Replies	Views
Impersonate a user and returning to admin user admins how-to , impersonate	0	4252	June 6, 2019
Un-impersonating a user on mobile? support impersonate	4	425	September 25, 2019
Impersonating a user should allow me to go back to my user feature impersonate	5	1772	July 3, 2016
Impersonate shouldn't clear notifications feature impersonate	3	1272	April 16, 2014
Add 'stop impersonating' link to user avatar dropdown when impersonating feature impersonate	33	6000	September 21, 2022

Impersonating a user

Related Topics