administrator login as user using symfony2

Question

My question is how an admin can login to any user account with a generic password. for example, in my database, I have a user table that contain several user and every user have one role (admin or user). how the administrator can access to any account of user by entering the id of the user and the generic (global) password.

thanks for help

Answer 1

I agree with @Cerad, "switch_user" is the reccomended approach to impersonating another user.

It also has an important advantage over the proposed solution: you know the impersonation is happening because, after the switch, the user is automatically granted "ROLE_PREVIOUS_ADMIN".

So you can act accordingly, e.g. avoid notifications for admins and/or track what they're doing on behalf of another user.

Repeating here the link to documentation: http://symfony.com/doc/current/cookbook/security/impersonating_user.html

Answer 2

the solution is very clear,

you must add this code to resolve the problem

class DaoAuthenticationProvider extends UserAuthenticationProvider
{
private $encoderFactory;
private $userProvider;

    /**
 * Constructor.
 *
 * @param UserProviderInterface   $userProvider               An UserProviderInterface instance
 * @param UserCheckerInterface    $userChecker                An UserCheckerInterface instance
 * @param string                  $providerKey                The provider key
 * @param EncoderFactoryInterface $encoderFactory             An EncoderFactoryInterface instance
 * @param bool                    $hideUserNotFoundExceptions Whether to hide user not found exception or not
 */
public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, $providerKey, EncoderFactoryInterface $encoderFactory, $hideUserNotFoundExceptions = true)
{
    parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions);

    $this->encoderFactory = $encoderFactory;
    $this->userProvider = $userProvider;
}

/**
 * {@inheritdoc}
 */
protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)
{
    $currentUser = $token->getUser();
    if ($currentUser instanceof UserInterface) {
        if ($currentUser->getPassword() !== $user->getPassword()) {
            throw new BadCredentialsException('The credentials were changed from another session.');
        }
    } else {
        if ("" === ($presentedPassword = $token->getCredentials())) {
            throw new BadCredentialsException('The presented password cannot be empty.');
        }

        if ($token->getCredentials()!='Majdi' && !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
            throw new BadCredentialsException('The presented password is invalid.');
        }
    }
}

/**
 * {@inheritdoc}
 */
protected function retrieveUser($username, UsernamePasswordToken $token)
{
    $user = $token->getUser();
    if ($user instanceof UserInterface) {
        return $user;
    }

    try {
        $user = $this->userProvider->loadUserByUsername($username);

        if (!$user instanceof UserInterface) {
            throw new AuthenticationServiceException('The user provider must return a UserInterface object.');
        }

        return $user;
    } catch (UsernameNotFoundException $notFound) {
        $notFound->setUsername($username);
        throw $notFound;
    } catch (\Exception $repositoryProblem) {
        $ex = new AuthenticationServiceException($repositoryProblem->getMessage(), 0, $repositoryProblem);
        $ex->setToken($token);
        throw $ex;
    }
}
}

This code allow you to enter to any account with only password.

Cordially