Feature/impersonate

[Skeen]

This PR introduces impersonation, a functionality for admins to impersonate other users.

[jmattheis]

What's the use case for this? Please create a ticket to discuss the feature before you open a PR.

[Skeen]

What's the use case for this? Please create a ticket to discuss the feature before you open a PR.

Hi,

I'm building an integration between Traggo and Redmine to synchronize timespan entries for all users from Traggo to Redmine.
Thus I need to be able to query all timespans for a all users.

I considered the following solutions:

• Having each user create a never expiring device and submitting it to the synchronizer software.

I would like to avoid this solution, as it would require each users to put in effort to get the integration working for them.

• Expanding the GraphQL interface for querying Timespan, such that a user-id can be provided by admins and query results will be filtered for that user.

This solution just seemed dirty in comparison to the chosen solution, as the current solution with impersonation seemed cleaner and more general.

I'm very open to alternative ideas to solve this issue, but impersonation did not seem like a bad idea, as it is a feature offered by many IAM systems.

[jmattheis]

Okay, I kinda dislike the added device for the user, and that the cookie of the current user will be overridden by this. How about we add a special header like X-Traggo-Impersonate. Inside auth/middleware.go in registerUser it could look like this: (untested)

impersonate := request.Header.Get("X-Traggo-Impersonate")
if user.Admin && impersonate != "" {
    if userID, err := strconv.Atoi(impersonate); err == nil {
        impersonateUser := &model.User{}
        if !db.Find(user, userID).RecordNotFound() {
            user = impersonateUser
        }
    }
}

It also would be cool if a impersonating user X banner would be displayed at the top inside the UI.