Admin Can Login as Any User

After activation, this adds two option to user profiles, only visible to administrators:

• Login as this user
• Force logout

The first allows the administrator to effectively login to the account without the user's password.  Everything behaves normally in this login state.  The only difference is that logging out will return the administrator back to their original account.
(note, please don't use this to log into another administrator's account, and then log into some other account from there, though I haven't tried what happens if you do this)

The second option just forces the user to log out if they have logged in somewhere.

Alternative version: Login As by burnacid

[Sama34]

(07-31-2011 02:05 AM)RateU Wrote:  Please make sure that you have {$adminoptions} variable in your member_profile template.

As far as I know, this plugin doesn't touch that variable at all. This plugin doesn't add anything to that template directly in activation process, and doesn't remove anything in deactivate process from it. The additional hijack options will be added "on the fly". This plugin only "care" the {$modoptions} variable in that template, not {$adminoptions} variable.

That's what I know.

Just to make it clear that the error was in from my side. If you hide all admin link from the config.php file, this plugin will not be visible as well.

[brad-t]

Where is the styling for this plugin defined? Don't really need this thing using a whole table.

[ZiNgA BuRgA]

It's in the plugin file itself.  Open it up and scroll down - you'll see the HTML code near the bottom of the file.

[brad-t]

Great, thanks.

[MyBB Ghost]

(08-24-2010 08:59 AM)ZiNgA BuRgA Wrote:  Yes, you have to be very explicit when you say these things, or I won't be able to figure out what you want exactly.

If you want to exclude users to be hijackable, don't do the edit I said earlier, instead, find both instances:

PHP Code:

if(!$user) error('Invalid UserID supplied.');

---

for both, add after:

PHP Code:

if(in_array($user['uid'], array(1,2,3))) error('Cannot log in / clear key of this user.');

---

The link will still appear, but won't work.

Where would I put that code in here?

PHP Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100

<?php if(!defined("IN_MYBB")) die("This file cannot be accessed directly."); $plugins->add_hook('member_login', 'admhijack_login'); $plugins->add_hook('member_logout_start', 'admhijack_logout'); $plugins->add_hook('member_profile_end', 'admhijack_profile'); function admhijack_info() { return array( 'name' => 'Admins can log into Users\' accounts', 'description' => 'Allows admins to log into another user\'s account via their profile, and quickly swap back to their account via the Logout link.', 'website' => 'http://mybbhacks.zingaburga.com/', 'author' => 'ZiNgA BuRgA', 'authorsite' => 'http://zingaburga.com/', 'version' => '1.2', 'compatibility' => '1*', 'guid' => '8a4c3db281e87508c50386874e650297' ); } function admhijack_login() { global $mybb; if(($mybb->usergroup['cancp'] != 'yes' && $mybb->usergroup['cancp'] != 1) || $mybb->input['do'] != 'hijack' || !$mybb->input['uid']) return; verify_post_check($mybb->input['my_post_key']); $user = get_user(intval($mybb->input['uid'])); if(!$user) error('Invalid UserID supplied.'); my_setcookie('mybbadminuser', $mybb->user['uid'].'_'.$mybb->user['loginkey'], null, true); my_setcookie('mybbuser', $user['uid'].'_'.$user['loginkey'], null, true); redirect('index.php', 'You have successfully logged in as '.htmlspecialchars_uni($user['username']).'<br />You will be redirected to the forum index...'); exit; } function admhijack_logout() { global $mybb, $lang; if(($mybb->usergroup['cancp'] == 'yes' || $mybb->usergroup['cancp'] == 1) && $mybb->input['do'] == 'regenkey' && $mybb->input['uid']) { verify_post_check($mybb->input['my_post_key']); $user = get_user(intval($mybb->input['uid'])); if(!$user) error('Invalid UserID supplied.'); update_loginkey($user['uid']); redirect('member.php?action=profile&uid='.$user['uid'], 'You have successfully forced the selected user to log out.'); exit; } if($mybb->version_code >= 1400) $cookies =& $mybb->cookies; else $cookies =& $_COOKIE; if(!$cookies['mybbadminuser']) return; if(!$mybb->user['uid']) redirect('index.php', $lang->redirect_alreadyloggedout); // Check session ID if we have one if($mybb->input['sid'] && $mybb->input['sid'] != $session->sid) error($lang->error_notloggedout); // Otherwise, check logoutkey else if(!$mybb->input['sid'] && $mybb->input['logoutkey'] != $mybb->user['logoutkey']) error($lang->error_notloggedout); my_setcookie('mybbuser', $cookies['mybbadminuser'], null, true); my_unsetcookie('mybbadminuser'); redirect('member.php?action=profile&uid='.$mybb->user['uid'], 'You have logged out of the hijacked account and will be logged back in to your admin account.'); exit; } function admhijack_profile() { global $templates, $mybb; if($mybb->usergroup['cancp'] != 'yes' && $mybb->usergroup['cancp'] != 1) return; if(!$templates->cache['member_profile']) $templates->cache('member_profile'); $templates->cache['member_profile'] = str_replace('{$modoptions}','{$modoptions}<br /><table border="0" cellspacing="{$theme[\'borderwidth\']}" cellpadding="{$theme[\'tablespace\']}" width="100%" class="tborder"> <tr> <td colspan="2" class="thead"><strong>Admin Options</strong></td> </tr> <tr> <td class="trow1"> <ul> <li><a href="{$mybb->settings[\'bburl\']}/member.php?action=login&amp;do=hijack&amp;uid={$uid}&amp;my_post_key={$mybb->post_code}">Log in as this user</a></li> <li><a href="{$mybb->settings[\'bburl\']}/member.php?action=logout&amp;do=regenkey&amp;uid={$uid}&amp;my_post_key={$mybb->post_code}">Force this user to log out (if logged in)</a></li> </ul> </td> </tr> </table>',$templates->cache['member_profile']); } ?>

---

[ZiNgA BuRgA]

Lulwut?

[MyBB Ghost]

I want to exclude users to be hijackable.

[ZiNgA BuRgA]

I wouldn't have guessed...

[MyBB Ghost]

So where would I put the code?

[ZiNgA BuRgA]

Where you were directed to put the code.