4 files changed, 134 insertions(+), 0 deletions(-)

A => README.md
A => confluence/switchuser.jsp
A => jira/7.x/switchuser.jsp
A => jira/8.x/switchuser.jsp
A => README.md +1 -0
@@ 0,0 1,1 @@ 
+Temporarily become a different user in Jira and Confluence. See https://www.redradishtech.com/pages/viewpage.action?pageId=5636099

          
A => confluence/switchuser.jsp +42 -0
@@ 0,0 1,42 @@ 
+<%@ page import="com.atlassian.seraph.auth.DefaultAuthenticator" %>
+<%@ page import="com.atlassian.confluence.user.ConfluenceUserManager" %>
+<%@ page import="com.atlassian.spring.container.ContainerManager" %>
+<%@ page import="com.atlassian.confluence.user.AuthenticatedUserThreadLocal" %>
+<%@ page import="com.atlassian.sal.api.user.UserManager" %>
+<%@ page import="com.atlassian.confluence.util.GeneralUtil"%>
+<%@ page import="com.atlassian.confluence.security.PermissionManager" %>
+<%@ page import="com.atlassian.confluence.user.ConfluenceUser" %>
+<%
+	// Temporarily become another user.
+	// © 2018 Red Radish Consulting. Licensed per https://www.apache.org/licenses/LICENSE-2.0.html
+	ConfluenceUser user = (ConfluenceUser) AuthenticatedUserThreadLocal.getUser();
+	PermissionManager permissionManager = (PermissionManager) ContainerManager.getComponent("permissionManager");
+	if (permissionManager.isSystemAdministrator(user))
+	{
+		String newUsername = request.getParameter("user");
+		if (newUsername != null) {
+			ConfluenceUser newUser =(ConfluenceUser) GeneralUtil.getUserAccessor().getUser(newUsername);
+			if (newUser != null) {
+				if (session.getAttribute("okta.confluence.user") != null) {
+					session.setAttribute("okta.confluence.user", newUser);
+				}
+				session.setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, newUser );
+				// Tell websudo to get lost
+				session.setAttribute("confluence.websudo.timestamp", System.currentTimeMillis());
+				String gotoPage = request.getParameter("goto");
+				if (gotoPage != null) {
+					response.sendRedirect(gotoPage);
+				} else {
+					response.sendRedirect("/");
+				}
+			} else {
+				// TODO: wrap in webwork stuff so we can print the entered username without risking XSS
+				out.println("<div class='aui-message aui-message-error'>No such user</div>");
+			}
+		}
+		out.println("<form>Switch to user: <input name='user'/><br/>If successful, go to page: <input name='goto' value='/' /><input type='submit'/></form>");
+	}  else {
+		response.setStatus(403); // Forbidden
+		out.println("Restricted to System Administrators");
+	}
+%>

          
A => jira/7.x/switchuser.jsp +46 -0
@@ 0,0 1,46 @@ 
+<%@ page import="com.atlassian.jira.ComponentManager" %>
+<%@ page import="com.atlassian.jira.security.JiraAuthenticationContext" %>
+<%@ page import="com.atlassian.seraph.auth.DefaultAuthenticator" %>
+<%@ page import="com.atlassian.jira.user.util.UserManager" %>
+<%@ page import="com.atlassian.jira.component.ComponentAccessor" %>
+<%@ page import="com.atlassian.jira.permission.GlobalPermissionKey" %>
+<%@ page import="com.atlassian.jira.security.Permissions" %>
+<%@ page import="com.atlassian.jira.security.GlobalPermissionManager" %>
+<%@ page import="com.atlassian.jira.user.ApplicationUser" %>
+<%
+	// Temporarily become another user.
+	// © 2018 Red Radish Consulting. Licensed per https://www.apache.org/licenses/LICENSE-2.0.html
+	// TODO: wrap this in a gadget: https://bitbucket.org/redradish/jira-sample-rest-gadget/src
+	final JiraAuthenticationContext jiraAuthenticationContext = ComponentManager.getComponentInstanceOfType(JiraAuthenticationContext.class);
+	ApplicationUser user = jiraAuthenticationContext.getLoggedInUser();
+	 GlobalPermissionManager globalPermissionManager = ComponentAccessor.getGlobalPermissionManager();
+	if (globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, user))
+	{
+		String newUsername = request.getParameter("user");
+		if (newUsername != null) {
+			UserManager userManager = ComponentAccessor.getUserManager();
+			Object newUser = userManager.getUser(newUsername);
+			if (newUser != null) {
+				if (session.getAttribute("okta.jira.user") != null) {
+					session.setAttribute("okta.jira.user", newUser);
+				}
+				session.setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, newUser );
+				// Tell websudo to get lost
+				session.setAttribute("jira.websudo.timestamp", System.currentTimeMillis());
+				String gotoPage = request.getParameter("goto");
+				if (gotoPage != null) {
+					response.sendRedirect(gotoPage);
+				} else {
+					response.sendRedirect("/");
+				}
+			} else {
+				// TODO: wrap in webwork stuff so we can print the entered username without risking XSS
+				out.println("<div class='aui-message aui-message-error'>No such user</div>");
+			}
+		}
+		out.println("<form>Switch to user: <input name='user'/><br/>If successful, go to page: <input name='goto' value='/' /><input type='submit'/></form>");
+	} else {
+		response.setStatus(403); // Forbidden
+		out.println("Restricted to System Administrators");
+	}
+%>

          
A => jira/8.x/switchuser.jsp +45 -0
@@ 0,0 1,45 @@ 
+<%@ page import="com.atlassian.jira.security.JiraAuthenticationContext" %>
+<%@ page import="com.atlassian.seraph.auth.DefaultAuthenticator" %>
+<%@ page import="com.atlassian.jira.user.util.UserManager" %>
+<%@ page import="com.atlassian.jira.component.ComponentAccessor" %>
+<%@ page import="com.atlassian.jira.permission.GlobalPermissionKey" %>
+<%@ page import="com.atlassian.jira.security.Permissions" %>
+<%@ page import="com.atlassian.jira.security.GlobalPermissionManager" %>
+<%@ page import="com.atlassian.jira.user.ApplicationUser" %>
+<%
+        // Temporarily become another user. Jira 8.x - see previous revision for a 7.x-compatible version.
+        // © 2019 Red Radish Consulting. Licensed per https://www.apache.org/licenses/LICENSE-2.0.html
+        // TODO: wrap this in a gadget: https://bitbucket.org/redradish/jira-sample-rest-gadget/src
+        final JiraAuthenticationContext jiraAuthenticationContext = ComponentAccessor.getJiraAuthenticationContext();                                       
+        ApplicationUser user = jiraAuthenticationContext.getLoggedInUser();
+        GlobalPermissionManager globalPermissionManager = ComponentAccessor.getGlobalPermissionManager();
+        if (globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, user))                                                                  
+        {
+                String newUsername = request.getParameter("user");
+                if (newUsername != null) {
+                        UserManager userManager = ComponentAccessor.getUserManager();                                                                       
+                        Object newUser = userManager.getUser(newUsername);
+                        if (newUser != null) {
+                                if (session.getAttribute("okta.jira.user") != null) {                                                                       
+                                        session.setAttribute("okta.jira.user", newUser);                                                                    
+                                }
+                                session.setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, newUser );                                                         
+                                // Tell websudo to get lost
+                                session.setAttribute("jira.websudo.timestamp", System.currentTimeMillis());                                                 
+                                String gotoPage = request.getParameter("goto");                                                                             
+                                if (gotoPage != null) {
+                                        response.sendRedirect(gotoPage);
+                                } else {
+                                        response.sendRedirect("/");
+                                }
+                        } else {
+                                // TODO: wrap in webwork stuff so we can print the entered username without risking XSS                                     
+                                out.println("<div class='aui-message aui-message-error'>No such user</div>");                                               
+                        }
+                }
+                out.println("<form>Switch to user: <input name='user'/><br/>If successful, go to page: <input name='goto' value='/' /><input type='submit'/></form>");
+        } else {
+                response.setStatus(403); // Forbidden
+                out.println("Restricted to System Administrators");
+        }
+%>