Adds an optional X-Redmine-Switch-User header to let admin users swicth user in API calls (#11755).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10608 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 15 insertions, 0 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e5234a4bc..6c7779636 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -110,6 +110,16 @@ class ApplicationController < ActionController::Base
           user = User.try_to_login(username, password) || User.find_by_api_key(username)
         end
       end
+      # Switch user if requested by an admin user
+      if user && user.admin? && (username = api_switch_user_from_request)
+        su = User.find_by_login(username)
+        if su && su.active?
+          logger.info("  User switched by: #{user.login} (id=#{user.id})") if logger
+          user = su
+        else
+          render_error :message => 'Invalid X-Redmine-Switch-User header', :status => 412
+        end
+      end
     end
     user
   end
@@ -508,6 +518,11 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  # Returns the API 'switch user' value if present
+  def api_switch_user_from_request
+    request.headers["X-Redmine-Switch-User"].to_s.presence
+  end
+
   # Renders a warning flash if obj has unsaved attachments
   def render_attachment_warning_if_needed(obj)
     flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?