User Switching WordPress plugin review

User Switching

User Switching

When you experiment with your WordPress blog user rights (editing it directly or with use of User Role Editor plugin) you need to thoroughly test your modifications.
In case you create a new roles or edit existing WordPress core roles, you need to make tests with double zeal. What does it mean? It means that you should to log off as blog administrator, login as other user assigned another role and check what such user really can do. If you see that some staff needs to be corrected, you should log off and login as WordPress administrator again. You have to repeat those same simple steps again, again and again. Every login operation needs user name and password manual input. We wasted a lot of time for such operations.
Have you the same feelings? If such, you are in the right place. There is a User Switching WordPress plugin which is made by its author John Blackbourn to save a lot of time for us. After a week of use I’m sure that “User Switching” plugin is a valuable addition to your test WordPress installation where you play with changed WordPress user roles and capabilities sets.
How does “User Switching” plugin works? It is a very simple in use. It has not any special settings. Just activate and use. Plugin adds two new “Switch to” links to the Users screens.
1st link is added to every user row at the Users list screen:
User Switching from users list

User Switching from users list


2nd link is added to the User profile editor screen:
User Switching from user profile editor

User Switching from user profile editor


When you click on the “Switch to” link you instantly become that user with his rights. For your convenience there is a “Switch back to” link, which allows you instantly return back to the user with administrator rights and continue your hard work on creating a new user role.
User Switching Back

User Switching Back

I went through the source code of this plugin. It is accurate, effective and secure. Author uses built-in WordPress functionality only to achieve the plugin purpose. He doesn’t use (and really he can not) other user password, just user context is changed. User switch link is protected by using special auto-generated field value wp-nonce checking.

It is nice decision. Good plugin. I use it myself and recommend to you for testing other user rights after modification.
Thanks to John Blackbourn for this good idea and its brilliant realization.

P.S. Version 0.2.2 has one minor security issue for WordPress Multisite installations. Minor as it has a low probability to use it for bad guys if you will not help them yourself :).
Any way, you should be aware about that vulnerability. If you include super-admin user to one of the blogs of WordPress Multisite, that blog admin user is capable to switch to the super-admin and get its super rights over all site blogs with the help of User Switching plugin v. 0.2.2. Plugin author knows about this security hole already (look here for details). It will be fixed in the next version, I hope.

Tags: , ,

  • Thanks for the review Vladimir, glad you find the plugin useful. I haven’t had a chance to look at the multisite issue yet, but I will when I get time.

    John

  • Vulnerability in version 0.2.2 is fixed with version 0.3.1 release: “Prevent admins switching to multisite super admin accounts.”. Thank you John. Good job!