Fix nested impersonation
alex wennerberg alex@alexwennerberg.com
Sun, 27 Dec 2020 12:11:24 -0800
1 files changed,
5 insertions(+),
0 deletions(-)
jump to
M
http.go
→
http.go
@@ -654,6 +654,11 @@ var err error
if action == "activate" { err = activateUser(userName) } else if action == "impersonate" { + if user.ImpersonatingUser != "" { + // Don't allow nested impersonation + renderError(w, "Cannot nest impersonation, log out from impersonated user first.", 400) + return + } session, _ := SessionStore.Get(r, "cookie-session") session.Values["auth_user"] = userName session.Values["impersonating_user"] = user.Username