Impersonating a user


(Biscuit) #1

I clicked impersonate a user, as they requested assistance and I wanted to see what access they had. I also wanted to understand how impersonate a user worked and what it’s used for.

I expected to simply see the same screen options that user would see, but was surprised when the screen displayed a draft of a post they were writing. It was an innocent post, but I didn’t feel comfortable seeing this work in progress & tried to exit immediately to respect their privacy. But I didn’t know how! I closed the browser, but when I returned to the site, it opened as the impersonated user again. I ended up logging out as that user, without knowing if I was also logging out the real user.

The lack of “EXIT” button during impersonation was discussed in this thread in 2014:

Feature suggestions:

  1. Display a confirmation message when someone clicks impersonate providing an indication of what’s involved, as it’s a serious action to take.

  2. Add an obvious Exit or Stop Impersonating button.

  3. If you don’t want to do #2 above, consider displaying a banner at the top saying something like:
    "Currently impersonating User XXXXX - (take this action) to stop impersonating"
    There’s currently no UI guidance about how to exit impersonation.

Dummy user to create initial content
(Michael Howell) #2

Impersonation is supposed to allow you to check for things like broken CSS; the act of adding a message somewhere would change that.

(Biscuit) #3

Good point. Perhaps an alternative is to explain how to exit before impersonation commences?

However it’s done, some form of UI guidance is required.

(Daler) #4

On a related note: it would be great if the act of impersonation would be covered by audit log. Is it logged somewhere? How can I see if someone has impersonated my account?

(Jeff Atwood) #5

Yes, Admin, logs, as usual.

(Biscuit) #6

Confirmed - it’s listed in the logs.

(Kane York) #7

It would probably be workable to have the button instead pop up a short explanatory dialog with [OK, color: danger] [Cancel] buttons. Could be entirely client-side.

Impersonating blah blah acts as if you are logged in as that user. It can be useful when a member is experiencing odd behavior or you need to check their permissions.
To exit, use the “Log Out” button in the user menu.