sudo

[Scott Merrill]

I'm working on basic sudo functionality for Habari. Attached is a
diff to the user class to show what I have in mind.

My question is: where would folks expect to go to become another user?

My thought was to have a button on a user's profile page that said,
basically, "Become this user". When you log out of that user, you're
back to your own user account (unless of course the login expires, in
which case your original session is destroyed along with the sudo
session).

[Ali B.]

I would assume that the admin (or admin group memeber maybe) would be the only level having that option. But to be honest, I can't really think of a practical application of such feature, so would love if you point some out? Also wouldn't this cause trust issues? privacy issues?

[Scott Merrill]

> On Jan 14, 2008 4:23 PM, Scott Merrill <ski...@skippy.net> wrote:
> I'm working on basic sudo functionality for Habari. Attached is a
> diff to the user class to show what I have in mind.
>
> My question is: where would folks expect to go to become another user?

On 1/14/08, Ali B. <dmon...@gmail.com> wrote:
> I would assume that the admin (or admin group memeber maybe) would be the
> only level having that option. But to be honest, I can't really think of a
> practical application of such feature, so would love if you point some out?
> Also wouldn't this cause trust issues? privacy issues?

The intent of this feature is to allow an admin to use the site in the
ways that another user would see it. Say you're testing your
permissions, and want to make sure that user X can only do tasks Y and
Z. Instead of logging out, then logging back in as user X, you can
simply "sudo" to user X. Habari will from that point on treat you as
though you are user X, and you can see if your permissions were
applied correctly to her.

Another useful feature is to investigate problem reports. When a user
says "I can't do foo!" you can become them, without having to first
change their password so that you can log in as them.

It is my intention to make "sudo" a permission that can be assigned to
user groups. A default installation of Habari would apply the sudo
permission to the "Administrators" group; so by default only
administrators could do this.

Any privacy issues that might exist are between the admins and the
users of the site.

The question I'm asking is: where should we place the button that
allows you to switch into a different user?

[Ali B.]

The best place is next to the user in the user list. The button would only appear if you have the proper privileges. If not I say the button would be hidden (not disabled)

--
Ali B.

"No one can make you feel inferior without your consent."
--  Eleanor Roosevelt

[Owen Winkler]

Scott Merrill wrote:
>
> The question I'm asking is: where should we place the button that
> allows you to switch into a different user?
>

Is it possible that you could be granted permission to become another
user from an account that does not have access to see that user's
profile? In a traditional "don't log in as admin" scenario, I would say
this is probable. In that case, perhaps the control should be a
dropdown with a button on a page that the user is guaranteed to be able
to see, like their own profile page.

Owen

[Scott Merrill]

You raise a good point.

As can be seen by the patch attached to the original message in this
thread, sudo is implemented as session data for a user account.

I think displaying a drop-down on the user's own profile page makes a
lot of sense, now that you mention it.