I have the AuthLogic plugin installed in my RoR app. I not creating an app that needs to be high security. But I would like it if admins can log in as a particular user without having to know each and every one of their passwords.
I cannot find where AuthLogic actually validates the entered password upon login.
Anyone have any recommendations or advice as to the best method?
Validation happens in the Authlogic::Session::Password module.
If you wanted to override the default behavior, you would do the following:
class UserSession < Authlogic::Session::Base
verify_password_method :my_verify_method
private
def my_verify_method
if admin_user? # method that checks to see if the current user is an admin
true
else
valid_password? # use default valid password method
end
end
I would suggest the following. First you have to be logged in as an administrator, otherwise anybody could login if they would know the magic word.
Then inside your list of users you could show a link that redirects to an action that will log the currently logged in admin as that user. This way you can only show that link to the person s with the correct rights.
Logging in in code is actually pretty easy: just do UserSession.create!(user), just the same as you test it, so that should work i assume.