Skip to main content

Staff can login as a different user.

Project description

Impostor

pypi codecov Downloads Hit counter Python versions PyPI - Django Version Python package Upload Python Package Codacy Badge

Impostor is a Django application which allows staff members to login as a different user by using their own username and password.

Login

Login

Logged as

Logged as

Impostor log

Impostor log

Every such authentication is recorded in database and listed in admin interface to everyone with an access to ImpostorLog interface. However it is not possible to delete log entries through admin interface to make covering tracks more difficult.

Impostor was tested with Django 1.11 and above. It might work with other versions too. It also depends on Django's authentication system and assumes you use its usernames for authentication.

Impostor is a MMM project developed by Marko Samastur (markos@gaivo.net) and maintained by Andreu Vallbona (avallbona@gmail.com)
licensed under MIT license.

Installation

Impostor won't work, if you are not using Django's auth system. It currently uses settings AUTH_USER_MODEL(default: django.contrib.auth.models.User) USERNAME_FIELD(default: username) or username as authentication parameter along with password and user object _default_manager get_by_natural_key function for returning user object from USERNAME_FIELD.

First install impostor app files as you would any other Django app

pip install impostor

Next some changes to your Django settings file are inorder.

Add impostor.backend.AuthBackend To AUTHENTICATION_BACKENDS : This will add impostor auth backend to other backends. AUTHENTICATION_BACKENDS is a tuple listing backends and if you don't have it yet, then add following lines to your settings:

AUTHENTICATION_BACKENDS = (
    'impostor.backend.AuthBackend',
    'django.contrib.auth.backends.ModelBackend',
)

Also add impostor app to INSTALLED_APPS.

INSTALLED_APPS = [
    '...', 
    'impostor',
]

In order to be able to see the user logged as anotheruser in the django admin, be sure to include the 'impostor' app before the 'django.contrib.admin' in the INSTALLED_APPS.

Run

python manage.py migrate

to create needed table and you are set.

Usage

By now you should have a working system. This means that your superuser users (users with is_superuser flag set to True) can log in as different user by using their password and following concatenation:

staff_username as users_username

Example: Let's say my username is markos and I want to login as user fry. Then I would use 'markos as fry' as my username and my normal password for password.

Every such log in is logged in ImpostorLog table that can be seen through Django admin interface, but for obvious security reasons can't be manipulated there.

You can widen set of users who can impose as other users by adding a setting IMPOSTOR_GROUP to settings.py. Users belonging to a group with this name will also be able to pretend to be somebody else (but not superusers).

Impostor also provides a replacement authentication form, because two usernames can easily exceed 30 character limit of original form. Its name is BigAuthenticationForm and you can find it in impostor.forms.

NOTE: Only superuser users can use this (you have to turn on is_superuser for every user that needs this privilege) or those belonging to IMPOSTOR_GROUP and every such log in gets recorded.

Also use IMPOSTOR_GROUP cautiously because it still allows impersonating somebody with different set of permissions (and hence security breach).

Contributing

Contributions are very welcome. Tests can be run with tox, please ensure the coverage at least stays the same before you submit a pull request.

Local development

Install all the python interpreters you need via pyenv. E.g.:

pyenv install 3.9.2
pyenv install 3.8.8
pyenv install 3.7.7
pyenv install 3.6.13
pyenv install 3.5.3

and then make them global with:

pyenv global 3.9.2 3.8.8 3.7.7 3.6.13 3.5.3 

Run the tests

tox

Issues

If you encounter any problems, please file an issue along with a detailed description.

TODO/Wishlist

  • record when impostor logs out
  • mark "hijacked" requests (so impostor can tell when he is using website as somebody else and avoid doing something stupid or that you can limit what is doable in such case)
  • framework for easy notification of hijacked users (so you can notify them that their account has been accessed if you wish)
  • add some tests to improve the coverage

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

impostor-3.2.0.tar.gz (15.3 kB view details)

Uploaded Source

Built Distribution

impostor-3.2.0-py3-none-any.whl (13.7 kB view details)

Uploaded Python 3

File details

Details for the file impostor-3.2.0.tar.gz.

File metadata

  • Download URL: impostor-3.2.0.tar.gz
  • Upload date:
  • Size: 15.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.3

File hashes

Hashes for impostor-3.2.0.tar.gz
Algorithm Hash digest
SHA256 f1eb08474fd034b4ee2bf54939901b60457c1d5f95b09963cd4c4d347764dbac
MD5 1e8906f4e6a230dd04a80a5d446763ff
BLAKE2b-256 fef7fe7c73aee7987a76b38c32ee0b31a28fb4c140afb946e6b7bdf547c4ea8f

See more details on using hashes here.

File details

Details for the file impostor-3.2.0-py3-none-any.whl.

File metadata

  • Download URL: impostor-3.2.0-py3-none-any.whl
  • Upload date:
  • Size: 13.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.3

File hashes

Hashes for impostor-3.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2711aa738c4bc7eb3eff20b9121d022c023c3c2cbc2eb7e372d6fe0f7ed6eb7f
MD5 f05e76964a9790d8d4b7315297f4a14c
BLAKE2b-256 4d2bae0397f45280c0978e3addf74203fec1b932d8649478f31421368ce46c03

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page