All threads / Devise Masquerade as another User Discussion
Ask A Question


You’re not receiving notifications from this thread.

Devise Masquerade as another User Discussion

Matt Taylor ·

Great video, can you explain more about the page.resources? where that is coming from and how it contains the user info for that method. Thanks

It's the resource for the current page that you're viewing inside Administrate. Just their naming convention since the admin is generic for any models you may have.

Matt Taylor ·

Ah, got you. didn't connect the two when I was watching it.. thanks

Very cool! Looking forward to seeing how to build this from scratch!

Thanks, Chris!

Dan Frenette ·

Awesome tutorial! Personally I found this plugin to be a much simpler alternative when adding this feature a few months ago, but both are very good nonetheless:

There's a bunch of great options like this. Cool thing about Pretender is that it can work with anything, but the nice part of devise_masquerade is it handles all the controllers and routes for you.

Great episode, will be nice to have another episode with JTW and **without** Devise.

Alex Musayev ·

Authenticating as another user via admin console is a really nice idea. It may save a lot of time for QA. You inspired me to try something like this in one of my projects. But there is a bit different situation:

1. I have separate model for admin console users.
2. Admin console is running on a separate domain (this is the same Rails app with one common DB though).

Aparently in this case I'll have to implement custom solution instead of using devise_masquerade gem. Here's my idea:

- Authenticated admin clicks a link on admin console to sign is to primary application as some specific User.
- Application creates authentication token and saves it to DB. Something like this tuple: `AuthRequest.create(secret_token, target_user_id, token_expiration_time)` (assuming we have AuthRequest model to keep authentication requests).
- After token is persisted, admin console redirects the admin to primary application, using full URL with different domain name. `secret_token` should be one of the parameters for this request.
- Primary application validates secret token and authenticates current user with associated User records. Like so (the code is simplified):

``` ruby
class AuthRequestController
# Assuming this is an action that suppose to handle admin console redirects
def authenticate
auth_request = AuthRequest.find(param[:id])
sign_in(auth_request.target_user) # Calling Devise helper
auth_request.destroy! # Eliminating authentication request record

But may be there are more straightforward ways to do this. I'll be grateful if you share your opinion.

Alex Musayev ·

(Forgot that Disqus ignores markdown, lol.)

That seems like a pretty decent solution cross-domain. Since you're sharing the database between the two, you can verify the token is only allowed for the user it was generated for and your expiration can be like 30 seconds so that the chance of that token leaking is very small.

You can also scope that AuthRequestsController to only allow admin users to access it as well so you get the same security around these tokens that devise masquerade does when it's only accessible from the admin.

Sounds like that'll work pretty nicely.

Alex Musayev ·

Short timeouts make perfect sense. Thanks for reassuring me Chris! :)

You can atually use < pre >< code > tags for syntax highlighting :)

Hello Chris, I submitted a transcript for this episode, please review it so I can earn a free month. Thank you :)

Hi Chris, firstly, thanks a lot for your videos! They're so valuable!

My first question is related to using masquerade together with the friendly_id gem. I noticed masquerade_path(@user) is redirecting to /users/masquerade/chris, for instance. If I hardcode the user id - like in /users/masquerade/8 - it works. Any insight on how can I make it work properly?

Also, and even more important: if any user tries to open this URI, even if he's not an admin, he's able to access other users' accounts \o/ won't that happen in your application as well?

Since this is an administrative thing, you could explicitly pass in the user id like this: masquerade_path( which should always put the numerical ID in, or you could take a look at overriding the masquerade query to use the friendly.find that is required for friendly_id lookups. I'd probably just pass in the ID explicitly since it's only accessible to admins.

And you can make sure this is accessible only for admins by doing this if you're using CanCan or putting your own before_action in the overridden controller to authorize for only admins:

I don't think I mentioned authorizing that url in the episode like I should have. That's an important piece!

Hey guys,

For me current_user is still returning the user I am originally logged in with.
Any help appreciated. Thanks.

There seems to be an issue in the latest version of devise_masquerade. In development the workaround to enable caching worked

rails dev:cache

rails dev:cache fixed it for me. Thank you.

Would this gem be configurable for a situation where the backend is a Rails API and the frontend is a React client?

Depends on how you're doing authentication. If you're using session cookies, it'll work out of the box. Otherwise you'll need to build your own mechanism that works similarly.

Hi Chris!

I'm trying to get masquerade working with the rails_admin gem but unsure how to create the masquerade path in rails_admin? Your help would be greatly appreciated!

hey Georges-Alexandre Haines,

I was looking to do something similar and best way I found is to create a "field" in the list view of RailsAdmin for the model.

Something like this:

      field :masquerade do
        formatted_value do
          output = []
          o = bindings[:object]
          v = bindings[:view]
          output << "\<a href=\"/user/masquerade/#{}\"\>Login as</a>"
          v.raw output.join("&nbsp;")

So you can customize the view for what you see in the model's list view in RailsAdmin by doing this in the model:

class User < ApplicationRecord

  rails_admin do
    list do
      field :id

@Rutul Dave
Is this working? I am agetting ActionController::RoutingError.

Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 68,326+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Screencast tutorials to help you learn Ruby on Rails, Javascript, Hotwire, Turbo, Stimulus.js, PostgreSQL, MySQL, Ubuntu, and more. Icons by Icons8

    © 2022 GoRails, LLC. All rights reserved.