Recursive Impersonation

Hello everyone,

I set up a discourse server for a client and let them create test accounts, which I knew will ultimately become obsolete once the SSO was in place. I set everything up, customised my theme and wrote category descriptions for everything using my admin account A.

Once I had DiscourseConnect setup (as the only sign-up option) I signed in with my admin account from the other system and granted that account B admin rights. From here on I would do anything under account B, as I couldn’t log in as A anymore.

Then I happend upon the “impersonate” button and got curious. Seemed like I didn’t have to delete account A, if I could just impersonate them to edit category descriptions, FAQs etc. So I used B to impersonate A and did a bunch of edits to test and everything was great.

Until I got curious if I could impersonate the forum’s bot account as well. So, while still impersonating A (who happened to be an admin) I decided to impersonate C. It worked, great stuff, so diligently I logged out and went about my day.

Now, when logged in as B I can no longer impersonate A or C (other users are fine). The spot where the button should appear just reads “Admins and moderators can’t be deleted”.
The logs say that “B impersonated A” and “A impersonated C”.

I wasn’t sure whether this warrants a bug report - as I currently have no way of reproducing my steps - or if there was an easy way to fix this?

Thanks in advance,

Hey Flo, welcome to the community :wave:t2:

The Impersonate button is still there and I am on the latest build.

Is it possible to log in to the Admin A account using /users/admin-login to log in via email? That may allow you to untie the knot?


Hi Gavin,

How can I tell which version I’m on through the interface? On the Dashboard it says last updated on August 3rd, but I can’t see a version number.


Hi JammyDoger,

I didn’t know this route existed! That definitely solves the problem of circumventing DiscourseConnect, though I haven’t been able to untie the knot so to speak. Impersonate buttons show up for user A though, so I’m assuming they’re currently not impersonating anyone?

You can view source. It’s not hard to find.

Visit /u/admin-login and change the admin account email to one that can log in via sso. You could also change the address via the rails console.

1 Like

Hi Jay,

I just wrongly assumed that if you’re deliberately hiding the information from admins, then it wouldn’t be public. 2.8.0.beta4 it is.

Regarding your second suggestion, I don’t want to do that as user A has no equivalent on my other system, however any user can potentially have an account on the forum.

Can you now log out of the Admin A account to make sure it’s reset to admin and not impersonating anyone?

(and log out Admin B too, just in case :slightly_smiling_face:)

Hi JammyDodger,

Yeah, I logged out of both and back into B and no dice :upside_down_face:

Does yours look like this?

That’s about the bottom of my tiny barrel of knowledge. :slightly_smiling_face: I wasn’t sure if admins could impersonate other admins (I thought it was only developers). Did you remove Admin B from this list?

Hopefully someone with deeper knowledge pockets can chip in with something more salient. :slightly_smiling_face::crossed_fingers:

1 Like

Hi Gavin,

No, I’m not seeing a Version section

Then your account is not an Admin.

I would suggest you add your Account B to the Dev section in the app. yml like @JammyDodger mentioned.

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example ','

Seems like you were on the right track after all, thanks!
Your input was much appreciated ˆˆ


That worked, the impersonate buttons are back! Thanks Gavin ˆˆ

Though I’m still not seeing the Version section of the dashboard and it’s still unclear why I was able to impersonate someone in the first place…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.