Impersonated guest user cannot logout

[SergioBertolinSG]

Steps to reproduce

0. Having impersonate and guest apps enabled.
1. Create a group 'group1' and add some users, including one called 'group_admin', which is the group admin.
2. Make 'group1' able for impersonation.
3. Create a guest user by sharing a folder with an email. Using the guest user set a password to the account.
4. Login with guest user. Check you can see the shared folder content.
5. Add the guest user to the group 'group1'.
6. As 'group_admin' impersonate guest user.
7. Try to logout.

Expected behaviour

Impersonating user can logout. Or maybe simply the user should not be able to impersonate a guest user.

Actual behaviour

Logout fails and the account keeps snipping not being able to log out.

Server configuration

Operating system:
Ubuntu 16.04

Web server:
Apache

Database:
MySQL

PHP version:
7.0

ownCloud version: (see ownCloud admin page)
current Master
{"installed":"true","maintenance":"false","needsDbUpgrade":"false","version":"10.0.3.0","versionstring":"10.0.3 beta","edition":"Community","productname":"ownCloud"}

Updated from an older ownCloud or fresh install:
Fresh

The content of config/config.php:

Are you using external storage, if yes which one: local/smb/sftp/...
No.

Are you using encryption:
No.

Logs

Client configuration

Browser
Firefox

** browser logs **

Failed to load resource: the server responded with a status of 403 (Forbidden)
impersonate_logout.js?v=77537904fa2d3ea454b076ee2a6628dd:50 Uncaught TypeError: Cannot read property 'error' of undefined
    at Object.<anonymous> (impersonate_logout.js?v=77537904fa2d3ea454b076ee2a6628dd:50)
    at j (jquery.min.js:2)
    at Object.fireWith [as rejectWith] (jquery.min.js:2)
    at x (jquery.min.js:4)
    at XMLHttpRequest.<anonymous> (jquery.min.js:4)

cc @sharidas

[SergioBertolinSG]

@pmaier1 please clarify if guest users should be able to being impersonated or not.

[PVince81]

I think it makes sense to allow impersonating guest users. This way an admin can find out what such user is actually seeing like what apps, visible folders, etc.

[pmaier1]

This way an admin can find out what such user is actually seeing like what apps, visible folders, etc.

Well, an admin could also just create a "test guest". Anyway, impersonating guests should work as well, yes.

[SergioBertolinSG]

Ok thanks.

[sharidas]

@SergioBertolinSG Thanks for helping me setup the smtp setting for validating the issue. I guess the problem with logout is due to not whitelisting the impersonate app in the guest app setting:

When I whitelist impersonate app, the logout is working.

[SergioBertolinSG]

Oh maybe that is why the guest user cannot impersonate anyone then.

[SergioBertolinSG]

I think guest users should not be able to impersonate anyone.

It is possible to have the logout feature and not be able to impersonate as guest user?

[PVince81]

The logout function needs to go to a special route when a user is impersonated, that special route is from the impersonate app. If the app is not whitelisted, I suspect that the special route will fail.

@SergioBertolinSG were you impersonating the guest user or is it just a simple "login" where the logout fails ?

@sharidas does the impersonate JS code load even when a user is not being impersonated ?

[SergioBertolinSG]

@SergioBertolinSG were you impersonating the guest user or is it just a simple "login" where the logout fails ?

The logout fails when impersonating a guest user.

[sharidas]

@PVince81 Yes the JS code is not loaded when the user is not being impersonated. And in the guest app case, it fails to load the JS code because impersonate app is not whitelisted ( by default ).

[PVince81]

Hmm, that's a tricky situation then. We'd still need to somehow bypass the whitelist block to be able to load that one JS file.

[sharidas]

Aah hold on... Sorry for stating that JS is not loaded. The JS impersonate_logout.js is loaded.. But the problem is accessing logoutcontroller.php. Need to think how to bypass the whitelist block...

[PVince81]

Is there such a thing like a logout prehook ? If yes we could change the logic to listen to the prehook. If that works, you won't need to override the logout link any more and it would just go through the regular logout process, and call the impersonate logout part through the hook.

[sharidas]

Couldn't find a logout prehook.

[sharidas]

PR here: #68

[pmaier1]

Moving to next version as we need to get a release out.

[PVince81]

fixed through #68.