Recursive Impersonation

Hello everyone,

I set up a discourse server for a client and let them create test accounts, which I knew will ultimately become obsolete once the SSO was in place. I set everything up, customised my theme and wrote category descriptions for everything using my admin account A.

Once I had DiscourseConnect setup (as the only sign-up option) I signed in with my admin account from the other system and granted that account B admin rights. From here on I would do anything under account B, as I couldn’t log in as A anymore.

Then I happend upon the “impersonate” button and got curious. Seemed like I didn’t have to delete account A, if I could just impersonate them to edit category descriptions, FAQs etc. So I used B to impersonate A and did a bunch of edits to test and everything was great.

Until I got curious if I could impersonate the forum’s bot account as well. So, while still impersonating A (who happened to be an admin) I decided to impersonate C. It worked, great stuff, so diligently I logged out and went about my day.

Now, when logged in as B I can no longer impersonate A or C (other users are fine). The spot where the button should appear just reads “Admins and moderators can’t be deleted”.
The logs say that “B impersonated A” and “A impersonated C”.

I wasn’t sure whether this warrants a bug report - as I currently have no way of reproducing my steps - or if there was an easy way to fix this?

Thanks in advance,
Flo

Hey Flo, welcome to the community :wave:t2:

The Impersonate button is still there and I am on the latest build.

Is it possible to log in to the Admin A account using /users/admin-login to log in via email? That may allow you to untie the knot?

2 Likes

Hi Gavin,

How can I tell which version I’m on through the interface? On the Dashboard it says last updated on August 3rd, but I can’t see a version number.

Thanks

Hi JammyDoger,

I didn’t know this route existed! That definitely solves the problem of circumventing DiscourseConnect, though I haven’t been able to untie the knot so to speak. Impersonate buttons show up for user A though, so I’m assuming they’re currently not impersonating anyone?

You can view source. It’s not hard to find.

Visit /u/admin-login and change the admin account email to one that can log in via sso. You could also change the address via the rails console.

1 Like

Hi Jay,

I just wrongly assumed that if you’re deliberately hiding the information from admins, then it wouldn’t be public. 2.8.0.beta4 it is.

Regarding your second suggestion, I don’t want to do that as user A has no equivalent on my other system, however any user can potentially have an account on the forum.

Can you now log out of the Admin A account to make sure it’s reset to admin and not impersonating anyone?

(and log out Admin B too, just in case :slightly_smiling_face:)

Hi JammyDodger,

Yeah, I logged out of both and back into B and no dice :upside_down_face:

Does yours look like this?

That’s about the bottom of my tiny barrel of knowledge. :slightly_smiling_face: I wasn’t sure if admins could impersonate other admins (I thought it was only developers). Did you remove Admin B from this list?

Hopefully someone with deeper knowledge pockets can chip in with something more salient. :slightly_smiling_face::crossed_fingers:

1 Like

Hi Gavin,

No, I’m not seeing a Version section

Then your account is not an Admin.

I would suggest you add your Account B to the Dev section in the app. yml like @JammyDodger mentioned.

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'gavin@truecode.co.za'
2 Likes

Seems like you were on the right track after all, thanks!
Your input was much appreciated ˆˆ

2 Likes

That worked, the impersonate buttons are back! Thanks Gavin ˆˆ

Though I’m still not seeing the Version section of the dashboard and it’s still unclear why I was able to impersonate someone in the first place…

1 Like