This Django app lets admin users impersonate other users, useful when testing and debugging permissions.
Non superusers are not allowed to perform this request, even if they have view rights to the User model, so that this cannot be used for privilege escalation.
As admin, I can choose the "Impersonate" action:
Impersonations are terminated by closing the bottom left pop-up.
Impersonate is not available for regular users, returning an error for those with view rights to the User model.
Add middleware to your middleware list and make sure it comes after django.contrib.auth.middleware.AuthenticationMiddleware:
MIDDLEWARE = [
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
'impersonate.middleware.ImpersonateMiddleware',
...
]In one of your admin.py files, add the action to UserAdmin (or the admin model of your custom User)
from impersonate.admin import impersonate_action
from django.contrib.auth import admin
admin.UserAdmin.actions.append(impersonate_action)Or call it from any of your views (if you're not using django-admin)
from django.contrib.auth import models
from impersonate.admin import impersonate_action
def my_view(request, target_username):
return impersonate_action(None, request, models.User.objects.filter(username=target_username))