Very nice feature, and a lovely addition.
Before we go ahead and commit it, can we ensure that security will be okay? I noted that you had permission checks around the service definition and UI for IMPERSONATE_ADMIN. Are we comfortable that we didn't create any loop holes, especially around the login worker? In other words, do you feel comfortable that we tightened all screws around that? The reason I ask is because I note that you can impersonate and then get back to your regular user. Where is the session stored? Is this a servlet session variable? Is it secured? On Sun, Aug 12, 2018 at 6:22 AM Shi Jinghai <huaru...@hotmail.com> wrote: > > +1. > > Now we can hold a cosplay party in OFBiz, right? :) > > > -----邮件原件----- > 发件人: Gil Portenseigne [mailto:gil.portensei...@nereide.fr] > 发送时间: 2018年8月11日 4:00 > 收件人: dev OFBiz > 主题: New Impersonate Feature : OFBIZ-10515 > > Hello ! > > I would like to introduce to you a new feature, i already talked about some > time ago (last year?). We needed it for one of our customer, that is > using it for some time and is very happy with it (like we are). > > Indeed this impersonation feature comes to be very useful when we need > to validate some behaviour or to assist a user in production without > asking for its credential. It's became so easy to use that even in > preproduction/integration environment we use it daily to impersonate > specific configured userlogin without trying to remember the password... > > It's kinda basic, a new permission is created and can be granted to an > authorized user, that will be offered a way to select a userlogin to > impersonate. > > It's a common feature that can be found for example in Gitlab. > > If you wanna try it out it's available here : > https://issues.apache.org/jira/browse/OFBIZ-10515 > > Feedback are welcomed :), although i'll be partly offline next week. > > Looking forward reading you ! > > Gil
