User Switching

FAQ

Does this plugin work with PHP 8?

Yes, it’s actively tested and working up to PHP 8.4.

Cosa significa “Esci”?

Uscire ti scollega dal tuo account, ma mantiene il tuo ID utente nel cookie di autenticazione, in modo che tu possa rientrare senza dover effettuare nuovamente manualmente il login. E’ come cambiare verso nessun utente ed essere in grado di tornare indietro.

The Switch Off link can be found in your profile menu in the WordPress toolbar. Once you’ve switched off you’ll see a Switch back link in a few places:

• In the footer of your site
• On the Log In screen
• In the “Meta” widget

Questo plugin funziona anche con WordPress Multisite?

Sì, e inoltre potrai cambiare utente dalla schermata Utenti nell’amministrazione del Network.

Questo plugin funziona con WooCommerce?

Yes, and you’ll also be able to switch users from various WooCommerce administration screens while logged in as a Shop Manager or an administrative user.

Questo plugin funziona con BuddyPress?

Sì, e potrai passare da un utente all’altro dallo schermo di profilo dei singoli membri e dallo schermo con la lista di tutti i membri.

Questo plugin funziona con bbPress?

Sì e puoi passare da un utente all’altro dalle schermate di profilo dei membri.

Questo plugin funziona se il mio sito usa un plugin di autenticazione a due fattori?

Sì, per lo più.

Una eccezione di cui sono a conoscenza è Duo Security. Se stai utilizzando questo plugin, dovresti installare il plugin User Switching for Duo Security che previene che che l’autenticazione a due fattori venga mostrata quando si cambia utente.

Di quale capability necessita un utente affinché possa cambiare account?

L’utente deve poter modificare gli utenti per cambiare utente (edit_users). Di regola solo gli Amministratori hanno questa possibilità e nei siti Multisite solo i Super Amministratori possono farlo.

Specifically, a user needs the ability to edit the target user in order to switch to them. This means if you have custom user capability mapping in place which uses the edit_users or edit_user capabilities to affect ability of users to edit others, then User Switching should respect that.

Gli amministratori in installazioni Multisite possono cambiare account?

No. Questo viene abilitato con l’installazione del plugin User Switching for Regular Admins.

Il permesso per cambiare account può essere assegnato ad altri utenti o ruoli?

Sì. Il permesso switch_users può essere assegnato ad un utente o ruolo per permettere il cambio utente a prescindere che abbiano il permesso edit_users o meno. Per praticità, l’utente o ruolo dovrà anche avere il permesso list_users per poter accedere al menu utenti nell’area admin di WordPress.

add_filter( 'user_has_cap', function( $allcaps, $caps, $args, $user ) {
    if ( 'switch_to_user' === $args[0] ) {
        if ( my_condition( $user ) ) {
            $allcaps['switch_users'] = true;
        }
    }
    return $allcaps;
}, 9, 4 );

Note that this needs to happen before User Switching’s own capability filtering, hence the priority of 9.

Can the ability to switch accounts be denied from users?

Yes. User capabilities in WordPress can be set to false to deny them from a user. Denying the switch_users capability prevents the user from switching users, even if they have the edit_users capability.

add_filter( 'user_has_cap', function( $allcaps, $caps, $args, $user ) {
    if ( 'switch_to_user' === $args[0] ) {
        if ( my_condition( $user ) ) {
            $allcaps['switch_users'] = false;
        }
    }
    return $allcaps;
}, 9, 4 );

Notes:

• This needs to happen before User Switching’s own capability filtering, hence the priority of 9.
• The ID of the target user can be found in $args[2].

Can I add a custom “Switch To” link to my own plugin or theme?

Yes. Use the user_switching::maybe_switch_url() method for this. It takes care of authentication and returns a nonce-protected URL for the current user to switch into the provided user account.

if ( method_exists( 'user_switching', 'maybe_switch_url' ) ) {
    $url = user_switching::maybe_switch_url( $target_user );
    if ( $url ) {
        printf(
            '<a href="%1$s">Switch to %2$s</a>',
            esc_url( $url ),
            esc_html( $target_user->display_name )
        );
    }
}

If you want to specify the URL that the user gets redirected to after switching, add a redirect_to parameter to the URL like so:

if ( method_exists( 'user_switching', 'maybe_switch_url' ) ) {
    $url = user_switching::maybe_switch_url( $target_user );
    if ( $url ) {
        // Redirect to the home page after switching:
        $redirect_to = home_url();
        printf(
            '<a href="%1$s">Switch to %2$s</a>',
            esc_url( add_query_arg(
                'redirect_to',
                rawurlencode( $redirect_to ),
                $url
            ) ),
            esc_html( $target_user->display_name )
        );
    }
}

The above code also works for displaying a link to switch back to the original user, but if you want an explicit link for this you can use the following code:

if ( method_exists( 'user_switching', 'get_old_user' ) ) {
    $old_user = user_switching::get_old_user();
    if ( $old_user ) {
        printf(
            '<a href="%1$s">Switch back to %2$s</a>',
            esc_url( user_switching::switch_back_url( $old_user ) ),
            esc_html( $old_user->display_name )
        );
    }
}

Can I determine whether the current user switched into their account?

Yes. Use the current_user_switched() function for this. If the current user switched into their account from another then it returns a WP_User object for their originating user, otherwise it returns false.

if ( function_exists( 'current_user_switched' ) ) {
    $switched_user = current_user_switched();
    if ( $switched_user ) {
        // User is logged in and has switched into their account.
        // $switched_user is the WP_User object for their originating user.
    }
}

Can I log each time a user switches to another account?

You can install an audit trail plugin such as Simple History, WP Activity Log, or Stream, all of which have built-in support for User Switching and all of which log an entry when a user switches into another account.

Does this plugin allow a user to frame another user for an action?

Potentially yes, but User Switching includes some safety protections for this and there are further precautions you can take as a site administrator:

• You can install an audit trail plugin such as Simple History, WP Activity Log, or Stream, all of which have built-in support for User Switching and all of which log an entry when a user switches into another account.
• User Switching stores the ID of the originating user in the new WordPress user session for the user they switch to. Although this session does not persist by default when they subsequently switch back, there will be a record of this ID if your database server has query logging enabled.
• User Switching stores the login name of the originating user in an authentication cookie (see the Privacy Statement for more information). If your server access logs store cookie data, there will be a record of this login name (along with the IP address) for each access request.
• User Switching triggers an action when a user switches account, switches off, or switches back (see below). You can use these actions to perform additional logging for safety purposes depending on your requirements.

One or more of the above should allow you to correlate an action with the originating user when a user switches account, should you need to.

Bear in mind that even without the User Switching plugin in use, any user who has the ability to edit another user can still frame another user for an action by, for example, changing their password and manually logging into that account. If you are concerned about users abusing others, you should take great care when granting users administrative rights.

Does this plugin warn me if I attempt to switch into an account which somebody else is already switched into?

Yes. When this happens you’ll be shown a prompt asking you to confirm that you would like to continue switching to the affected account.

This feature is useful if you have multiple users on your site who may be switching into other user accounts at the same time, for example a team of support agents.

Can I switch users directly from the admin toolbar?

Yes, there’s a third party add-on plugin for this: Admin Bar User Switching.

Viene chiamato qualche hook quando un utente cambia account?

Sì, quando un utente si collega ad un altro account, è chiamato l’hook switch_back_user:

/**
 * Fires when a user switches to another user account.
 *
 * @since 0.6.0
 * @since 1.4.0 The `$new_token` and `$old_token` parameters were added.
 *
 * @param int    $user_id     The ID of the user being switched to.
 * @param int    $old_user_id The ID of the user being switched from.
 * @param string $new_token   The token of the session of the user being switched to. Can be an empty string
 *                            or a token for a session that may or may not still be valid.
 * @param string $old_token   The token of the session of the user being switched from.
 */
do_action( 'switch_to_user', $user_id, $old_user_id, $new_token, $old_token );

Quando un utente accede al suo account originario, è chiamato l’hook: switch_back_user:

/**
 * Fires when a user switches back to their originating account.
 *
 * @since 0.6.0
 * @since 1.4.0 The `$new_token` and `$old_token` parameters were added.
 *
 * @param int       $user_id     The ID of the user being switched back to.
 * @param int|false $old_user_id The ID of the user being switched from, or false if the user is switching back
 *                               after having been switched off.
 * @param string    $new_token   The token of the session of the user being switched to. Can be an empty string
 *                               or a token for a session that may or may not still be valid.
 * @param string    $old_token   The token of the session of the user being switched from.
 */
do_action( 'switch_back_user', $user_id, $old_user_id, $new_token, $old_token );

Quando un utente si scollega, è chiamato l’hook switch_off_user:

/**
 * Fires when a user switches off.
 *
 * @since 0.6.0
 * @since 1.4.0 The `$old_token` parameter was added.
 *
 * @param int    $old_user_id The ID of the user switching off.
 * @param string $old_token   The token of the session of the user switching off.
 */
do_action( 'switch_off_user', $old_user_id, $old_token );

When a user switches to another account, switches off, or switches back, the user_switching_redirect_to filter is applied to the location that they get redirected to:

/**
 * Filters the redirect location after a user switches to another account or switches off.
 *
 * @since 1.7.0
 *
 * @param string       $redirect_to   The target redirect location, or an empty string if none is specified.
 * @param string|null  $redirect_type The redirect type, see the `user_switching::REDIRECT_*` constants.
 * @param WP_User|null $new_user      The user being switched to, or null if there is none.
 * @param WP_User|null $old_user      The user being switched from, or null if there is none.
 */
return apply_filters( 'user_switching_redirect_to', $redirect_to, $redirect_type, $new_user, $old_user );

In aggiunta, User Switching rispetta i seguenti filtri del WordPress core quando necessario:

• login_redirect when switching to another user.
• logout_redirect when switching off.

How can I report a security bug?

You can report security bugs through the official User Switching Vulnerability Disclosure Program on Patchstack. The Patchstack team helps validate, triage, and handle any security vulnerabilities.

Do you accept donations?

I am accepting sponsorships via the GitHub Sponsors program and any support you can give will help me maintain this plugin and keep it free for everyone.