How to Impersonate a User
How to Impersonate a User¶
Sometimes, it’s useful to be able to switch from one user to another without having to log out and log in again (for instance when you are debugging or trying to understand a bug a user sees that you can’t reproduce).
Caution
User impersonation is not compatible with
pre authenticated firewalls. The
reason is that impersonation requires the authentication state to be maintained
server-side, but pre-authenticated information (SSL_CLIENT_S_DN_Email,
REMOTE_USER or other) is sent in each request.
Impersonating the user can be done by activating the switch_user firewall
listener:
- YAML
1 2 3 4 5 6 7 8
# app/config/security.yml security: # ... firewalls: main: # ... switch_user: true
- XML
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
<!-- app/config/security.xml --> <?xml version="1.0" encoding="UTF-8"?> <srv:container xmlns="http://symfony.com/schema/dic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:srv="http://symfony.com/schema/dic/services" xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd"> <config> <!-- ... --> <firewall name="main"> <!-- ... --> <switch-user/> </firewall> </config> </srv:container>
- PHP
1 2 3 4 5 6 7 8 9 10 11
// app/config/security.php $container->loadFromExtension('security', [ // ... 'firewalls' => [ 'main'=> [ // ... 'switch_user' => true, ], ], ]);
Tip
For using the switch_user listener in a stateless firewall, set the
switch_user.stateless option to true.
To switch to another user, just add a query string with the _switch_user
parameter and the username as the value to the current URL:
1 | http://example.com/somewhere?_switch_user=thomas
|
To switch back to the original user, use the special _exit username:
1 | http://example.com/somewhere?_switch_user=_exit
|
During impersonation, the user is provided with a special role called
ROLE_PREVIOUS_ADMIN. In a template, for instance, this role can be used
to show a link to exit impersonation:
1 2 3 | {% if is_granted('ROLE_PREVIOUS_ADMIN') %}
<a href="{{ path('homepage', {'_switch_user': '_exit'}) }}">Exit impersonation</a>
{% endif %}
|
In some cases you may need to get the object that represents the impersonator
user rather than the impersonated user. Use the following snippet to iterate
over the user’s roles until you find one that is a SwitchUserRole object:
use Symfony\Component\Security\Core\Role\SwitchUserRole;
use Symfony\Component\Security\Core\Security;
// ...
class SomeService
{
private $security;
public function __construct(Security $security)
{
$this->security = $security;
}
public function someMethod()
{
// ...
if ($this->security->isGranted('ROLE_PREVIOUS_ADMIN')) {
foreach ($this->security->getToken()->getRoles() as $role) {
if ($role instanceof SwitchUserRole) {
$impersonatorUser = $role->getSource()->getUser();
break;
}
}
}
}
}
This feature needs to be made available to a small group of users.
By default, access is restricted to users having the ROLE_ALLOWED_TO_SWITCH
role. The name of this role can be modified via the role setting. For
extra security, you can also change the query parameter name via the parameter
setting:
- YAML
1 2 3 4 5 6 7 8
# app/config/security.yml security: # ... firewalls: main: # ... switch_user: { role: ROLE_ADMIN, parameter: _want_to_be_this_user }
- XML
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<!-- app/config/security.xml --> <?xml version="1.0" encoding="UTF-8"?> <srv:container xmlns="http://symfony.com/schema/dic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:srv="http://symfony.com/schema/dic/services" xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd"> <config> <!-- ... --> <firewall name="main"> <!-- ... --> <switch-user role="ROLE_ADMIN" parameter="_want_to_be_this_user"/> </firewall> </config> </srv:container>
- PHP
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// app/config/security.php $container->loadFromExtension('security', [ // ... 'firewalls' => [ 'main'=> [ // ... 'switch_user' => [ 'role' => 'ROLE_ADMIN', 'parameter' => '_want_to_be_this_user', ], ], ], ]);
Events¶
The firewall dispatches the security.switch_user event right after the impersonation
is completed. The Symfony\Component\Security\Http\Event\SwitchUserEvent is
passed to the listener, and you can use this to get the user that you are now impersonating.
The Making the Locale “Sticky” during a User’s Session article does not update the locale when you impersonate a user. If you do want to be sure to update the locale when you switch users, add an event subscriber on this event:
// src/AppBundle/EventListener/SwitchUserSubscriber.php
namespace AppBundle\EventListener;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Http\Event\SwitchUserEvent;
use Symfony\Component\Security\Http\SecurityEvents;
class SwitchUserSubscriber implements EventSubscriberInterface
{
public function onSwitchUser(SwitchUserEvent $event)
{
$event->getRequest()->getSession()->set(
'_locale',
// assuming your User has some getLocale() method
$event->getTargetUser()->getLocale()
);
}
public static function getSubscribedEvents()
{
return [
// constant for security.switch_user
SecurityEvents::SWITCH_USER => 'onSwitchUser',
];
}
}
That’s it! If you’re using the default services.yml configuration,
Symfony will automatically discover your service and call onSwitchUser whenever
a switch user occurs.
For more details about event subscribers, see Events and Event Listeners.
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.