[Catalyst] How to "sudo" using the Authentication plugin

[Robert Rothenberg]

On 11/05/12 19:18 Tomas Doran wrote:
> 
> On 11 May 2012, at 17:45, Robert Rothenberg wrote:
> 
>> We're working on an application with a lot of users, and where the passwords
>> are encrypted (and future versions may also allow OpenID logins).
>>
>> Developers would like the ability for the "root" user to be able to become
>> another user, for the purposes of debugging problems that real users might
>> be having on a live system.
>>
>> How does one do this using the Authentication plugin?
>>
>> Obvious things to try like the $c->user($new_user) doesn't work, not does
>> the (internal) $c->set_authenticated($user, $real) method.
>>
> 
> The recommended approach would be to keep $c->user 'pure', and to arrange to stash the current user in a top level base chain part, or top level auto.
> 
> If everything then subsequently uses $c->stash->{current_user} - then you can do your sudo (or whatever other mechanism you may need in future) simply by swapping out the user here.
> 
> This makes things a lot more pure - as the canonical user that $c->user will give you is (more) immutable..
> 
> Also, if you swap the 'canonical' user part way through the request - when the session plugin comes to re-serialize the session at the end of request - you're pretty stuffed, as you're now writing out the wrong user… I.e. re-sudoing, or doing any root level action is likely to require you to log out and log in again - not what you actually want! :)

We don't mind having to log out and log back in again after sudoing.

I'm not looking forward to changing every use of $c->user in the code, and
concerned about how this might interact with any plugins that rely on $c->user.

Would you consider the ability to sudo a feature request for the
Authentication plugin? (with appropriate thoughts about the security
implications, of course).

Thanks,
Rob