I'm working on basic sudo functionality for Habari. Attached is a diff to the user class to show what I have in mind.
My question is: where would folks expect to go to become another user?
My thought was to have a button on a user's profile page that said, basically, "Become this user". When you log out of that user, you're back to your own user account (unless of course the login expires, in which case your original session is destroyed along with the sudo session).
I would assume that the admin (or admin group memeber maybe) would be the only level having that option. But to be honest, I can't really think of a practical application of such feature, so would love if you point some out? Also wouldn't this cause trust issues? privacy issues?
On Jan 14, 2008 4:23 PM, Scott Merrill <ski...@skippy.net> wrote:
> I'm working on basic sudo functionality for Habari. Attached is a > diff to the user class to show what I have in mind.
> My question is: where would folks expect to go to become another user?
> My thought was to have a button on a user's profile page that said, > basically, "Become this user". When you log out of that user, you're > back to your own user account (unless of course the login expires, in > which case your original session is destroyed along with the sudo > session).
-- Ali B.
"No one can make you feel inferior without your consent." -- Eleanor Roosevelt
> On Jan 14, 2008 4:23 PM, Scott Merrill <ski...@skippy.net> wrote: > I'm working on basic sudo functionality for Habari. Attached is a > diff to the user class to show what I have in mind.
> My question is: where would folks expect to go to become another user?
> I would assume that the admin (or admin group memeber maybe) would be the > only level having that option. But to be honest, I can't really think of a > practical application of such feature, so would love if you point some out? > Also wouldn't this cause trust issues? privacy issues?
The intent of this feature is to allow an admin to use the site in the ways that another user would see it. Say you're testing your permissions, and want to make sure that user X can only do tasks Y and Z. Instead of logging out, then logging back in as user X, you can simply "sudo" to user X. Habari will from that point on treat you as though you are user X, and you can see if your permissions were applied correctly to her.
Another useful feature is to investigate problem reports. When a user says "I can't do foo!" you can become them, without having to first change their password so that you can log in as them.
It is my intention to make "sudo" a permission that can be assigned to user groups. A default installation of Habari would apply the sudo permission to the "Administrators" group; so by default only administrators could do this.
Any privacy issues that might exist are between the admins and the users of the site.
The question I'm asking is: where should we place the button that allows you to switch into a different user?
> > On Jan 14, 2008 4:23 PM, Scott Merrill <ski...@skippy.net> wrote: > > I'm working on basic sudo functionality for Habari. Attached is a > > diff to the user class to show what I have in mind.
> > My question is: where would folks expect to go to become another user?
> On 1/14/08, Ali B. <dmond...@gmail.com> wrote: > > I would assume that the admin (or admin group memeber maybe) would be > the > > only level having that option. But to be honest, I can't really think of > a > > practical application of such feature, so would love if you point some > out? > > Also wouldn't this cause trust issues? privacy issues?
> The intent of this feature is to allow an admin to use the site in the > ways that another user would see it. Say you're testing your > permissions, and want to make sure that user X can only do tasks Y and > Z. Instead of logging out, then logging back in as user X, you can > simply "sudo" to user X. Habari will from that point on treat you as > though you are user X, and you can see if your permissions were > applied correctly to her. > Another useful feature is to investigate problem reports. When a user > says "I can't do foo!" you can become them, without having to first > change their password so that you can log in as them.
> It is my intention to make "sudo" a permission that can be assigned to > user groups. A default installation of Habari would apply the sudo > permission to the "Administrators" group; so by default only > administrators could do this.
> Any privacy issues that might exist are between the admins and the > users of the site.
> The question I'm asking is: where should we place the button that > allows you to switch into a different user?
The best place is next to the user in the user list. The button would only appear if you have the proper privileges. If not I say the button would be hidden (not disabled)
-- Ali B.
"No one can make you feel inferior without your consent." -- Eleanor Roosevelt
> The question I'm asking is: where should we place the button that > allows you to switch into a different user?
Is it possible that you could be granted permission to become another user from an account that does not have access to see that user's profile? In a traditional "don't log in as admin" scenario, I would say this is probable. In that case, perhaps the control should be a dropdown with a button on a page that the user is guaranteed to be able to see, like their own profile page.
On 1/14/08, Owen Winkler <epit...@gmail.com> wrote:
> > The question I'm asking is: where should we place the button that > > allows you to switch into a different user?
> Is it possible that you could be granted permission to become another > user from an account that does not have access to see that user's > profile? In a traditional "don't log in as admin" scenario, I would say > this is probable. In that case, perhaps the control should be a > dropdown with a button on a page that the user is guaranteed to be able > to see, like their own profile page.
You raise a good point.
As can be seen by the patch attached to the original message in this thread, sudo is implemented as session data for a user account.
I think displaying a drop-down on the user's own profile page makes a lot of sense, now that you mention it.
