Yii 1.1: Impersonate Users within Yii Framework


For some applications it can be advantageous for administration reasons to allow site administrators to login as other users. This is sometimes called user impersonation or "becoming that user".

This tutorial assumes you've set up a very standard Yii web application and was written when 1.1.6 was the current standard. We're also assuming you have a User model that we'll call "User". This is the model that stores your username, password, and other user related account information.

Step 1: UserIdentity

Open your protected.components.UserIdentity class. This should have an existing "authenticate" method that is called by the login form to authenticate a user. We'll begin by refactoring this method a little to pull out the actual work of saving the user.

public function authenticate()
        else if($this->_user->password!==$this->password)
        return !$this->errorCode;
    protected function logInUser($user)
            $this->_user = $user;
            $this->setState('name', $this->_user->name);

Note that your authenticate function might be finding the user by a different attribute, you mostly want to change it to call logInUser when it has successfully authenticated the user.

Now create a static function called Impersonate that looks like this:

public static function impersonate($userId)
    $ui = null;
    $user = User::model()->findByPk($userId);
        $ui = new UserIdentity($user->email, "");
    return $ui;

This function creates a UserIdentity for the specified userId and returns it. It uses our refactored logInUser function to log the user in. The advantage of using this function is that it avoids some of the private/protected access problems of using a static function. (There are some comments about this below that were added before this article was updated to include this refactor.)

Step 2: Create an impersonate action on your site controller:

public function actionImpersonate($id)
    $ui = UserIdentity::impersonate($id);
        Yii::app()->user->login($ui, 0);

You can see that we're logging in as the impersonated user by the same method that the standard LoginForm uses. We'll then redirect to the home page of the site as the new user.

Step 3:

Protect your site/impersonate action. Obviously this action is very powerful. Be sure to add it to your restricted access control rules so that only properly authenticated administrators can access it.

Note that you'll have to log out and back in as a site administrator to become a different user.

Total 5 comments

#3023 report it
Woil at 2011/03/08 11:16am

I've updated with a refactor of the code that logs in the user. This is what I'm actually doing in my application.

#2980 report it
nsbucky at 2011/03/04 07:08pm

your static version will only work if your _user and _id are public, mine are protected so I have to make a new instance.

#2979 report it
Woil at 2011/03/04 06:56pm

I've updated the article to remove the $this references. It really should be static.

#2978 report it
nsbucky at 2011/03/04 06:45pm
a possible fix

I got it to work with this code:

public function impersonate($userId)
        $identity = null;
        $user = Users::model()->findByPk($userId);
        if($user) {
            $identity = new UserIdentity($user->email, "");
            $this->errorCode = self::ERROR_NONE;
        return $identity;
#2977 report it
nsbucky at 2011/03/04 06:41pm
using this when not in context

that static function will throw an error: Using $this when not in object context in ...

Leave a comment

Please to leave your comment.

Write new article