/ src / views / elements / ImpersonatebarElement.php
<?php
/**
 * SeekQuarry/Yioop --
 * Open Source Pure PHP Search Engine, Crawler, and Indexer
 *
 * Copyright (C) 2009 - 2026  Chris Pollett chris@pollett.org
 *
 * LICENSE:
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see
 * <https://www.gnu.org/licenses/>.
 *
 * END LICENSE
 *
 * @author Chris Pollett chris@pollett.org
 * @license https://www.gnu.org/licenses/ GPL3
 * @link https://www.seekquarry.com/
 * @copyright 2009 - 2026
 * @filesource
 */
namespace seekquarry\yioop\views\elements;

use seekquarry\yioop\configs as C;

/**
 * Element that draws the "acting as" banner shown while a user with
 * Manage Users access is impersonating another account. It renders
 * only when the session marks an impersonation in progress, so the
 * authenticated views that include it pay nothing on a normal
 * session. The banner shows who is acting as whom and a Switch Back
 * control that reveals an inline password field; submitting it
 * re-authenticates the original user and restores the session.
 *
 * @author Chris Pollett chris@pollett.org
 */
class ImpersonatebarElement extends Element
{
    /**
     * Draws the impersonation banner if the session indicates an
     * act-as is in progress; otherwise draws nothing.
     *
     * @param array $data fields from the controller; uses the
     *      CSRF token for the re-auth form. The acting-as and
     *      impersonator names come from the session so the banner
     *      can render on any authenticated view without a per-page
     *      lookup.
     */
    public function render($data)
    {
        if (empty($_SESSION['IMPERSONATOR_RETURN_NAME'])) {
            return;
        }
        $impersonator = $_SESSION['IMPERSONATOR_RETURN_NAME'];
        $acting_as = $_SESSION['USER_NAME'] ?? '';
        $token = $data[C\p('CSRF_TOKEN')] ?? '';
        $admin_url = htmlentities(C\SHORT_BASE_URL);
        ?><div class="impersonation-banner"><span><?=
        tl('adminbar_element_acting_as', $impersonator, $acting_as)
        ?></span>
        <a href="#" id="impersonation-reveal"
            onclick="elt('impersonation-reveal').classList.add(
            'none'); elt('impersonation-stop').classList.remove(
            'none'); elt('impersonator-password').focus();
            return false;"><?=
            tl('adminbar_element_switch_back') ?></a>
        <form id="impersonation-stop" action="<?= $admin_url ?>"
            class="impersonation-stop none" method="post"
            autocomplete="off">
        <input type="hidden" name="c" value="admin" >
        <input type="hidden" name="a" value="manageAccount" >
        <input type="hidden" name="arg" value="stopactingas" >
        <input type="hidden" name="<?= C\p('CSRF_TOKEN') ?>"
            value="<?= $token ?>" >
        <input type="password" id="impersonator-password"
            name="impersonator_password" placeholder="<?=
            tl('adminbar_element_impersonator_password',
            $impersonator) ?>" >
        <button type="submit" class="button-box impersonation-go"
            title="<?= tl('adminbar_element_switch_back')
            ?>">&#8594;</button>
        <button type="button" class="button-box impersonation-go"
            title="<?= tl('adminbar_element_cancel_switch') ?>"
            onclick="elt('impersonation-stop').classList.add('none');
            elt('impersonation-reveal').classList.remove('none');
            return false;">&#10005;</button>
        </form></div><?php
    }
}
X