Post History

If you've poked around the mod tools here a bit, you may have noticed that QPixel has an impersonation feature, live on prod. It's there for much the same reasons: so that developers can test and identify issues that only appear for one user with a specific set of circumstances that would be difficult to reproduce.

If you've decided that impersonation in production is a required feature, you really only have two ways of doing it:

 * As you described, by executing permissions checks against the impersonated user but creating records as the impersonator. This requires you to change more code paths to be aware that impersonation is a possibility.
 * As we do it: with logging. Any time an impersonation is triggered, a log is automatically made to the admin audit log, which any admin can see. You can log as much detail as you need, right up to logging full details of every single HTTP request made while impersonating, if you need to. We don't go that far, but as long as you have impersonate-start and -end logs at minimum, then any actions the impersonated user takes between those points may have been impersonated.

You also, of course, have to define security policy for who's allowed to access the feature. In our setup, only developers have access to it - and a developer account is defined by a flag that's only settable via raw database or console access: there's no way to do it in the UI. While only a developer can impersonate someone, _any_ administrator can see the logs of it, which is how it should be: restrict the feature, but let a wider team be able to see when it's being used.