Add admin login-as feature to member admin list

Add procMemberAdminLoginAs action that allows super admins to login as a specific non-admin member from the member admin list page. Includes CSRF protection, admin-only access check, and prevention of logging in as another admin user. Co-authored-by: Lastorder-DC <18280396+Lastorder-DC@users.noreply.github.com>
2026-04-02 01:52:10 +09:00 · 2026-03-02 04:10:30 +00:00 · 2026-03-02 04:10:30 +00:00 · d6486a0415
commit d6486a0415
parent 0a5bbef276
5 changed files with 67 additions and 1 deletions
--- a/modules/member/conf/module.xml
+++ b/modules/member/conf/module.xml
@ -118,6 +118,7 @@
 		<action name="procMemberAdminUpdateGroupOrder" type="controller" />
 		<action name="procMemberAdminUpdateMembersGroup" type="controller" ruleset="manageMemberGroup" />
 		<action name="procMemberAdminDeleteMembers" type="controller" />
+		<action name="procMemberAdminLoginAs" type="controller" />
 	</actions>
 	<eventHandlers>
 		<eventHandler after="document.getDocumentMenu" class="controller" method="triggerGetDocumentMenu" />
--- a/modules/member/lang/en.php
+++ b/modules/member/lang/en.php
@ -407,3 +407,6 @@ $lang->member_unauthenticated = 'Unauthenticated';
 $lang->member_number = 'Member identification number';
 $lang->msg_change_after_click = 'Change after clicking link below';
 $lang->msg_password_changed = 'Your password has been changed.';
+
+$lang->cmd_login_as = 'Login as this member';
+$lang->msg_confirm_login_as = 'Are you sure you want to login as this member? Your current admin session will be terminated.';
--- a/modules/member/lang/ko.php
+++ b/modules/member/lang/ko.php
@ -411,3 +411,6 @@ $lang->member_unauthenticated = '미인증';
 $lang->member_number = '회원 번호';
 $lang->msg_change_after_click = '아래 링크 클릭 후 변경 가능';
 $lang->msg_password_changed = '비밀번호가 변경되었습니다.';
+
+$lang->cmd_login_as = '해당 회원으로 로그인';
+$lang->msg_confirm_login_as = '해당 회원으로 로그인하시겠습니까? 현재 관리자 세션이 종료됩니다.';
--- a/modules/member/member.admin.controller.php
+++ b/modules/member/member.admin.controller.php
@ -1802,6 +1802,46 @@ class MemberAdminController extends Member

 		return new BaseObject();
 	}
+
+	/**
+	 * Login as a specific member (admin only)
+	 * @return void|BaseObject
+	 */
+	function procMemberAdminLoginAs()
+	{
+		// Check admin permission and CSRF token
+		$logged_info = Context::get('logged_info');
+		if(!$logged_info || $logged_info->is_admin !== 'Y' || !Rhymix\Framework\Security::checkCSRF())
+		{
+			throw new Rhymix\Framework\Exceptions\InvalidRequest;
+		}
+
+		$member_srl = Context::get('member_srl');
+		if(!$member_srl)
+		{
+			throw new Rhymix\Framework\Exceptions\InvalidRequest;
+		}
+
+		// Get target member info
+		$member_info = MemberModel::getMemberInfoByMemberSrl($member_srl);
+		if(!$member_info || !$member_info->member_srl)
+		{
+			throw new Rhymix\Framework\Exceptions\InvalidRequest;
+		}
+
+		// Do not allow login as another admin
+		if($member_info->is_admin === 'Y')
+		{
+			throw new Rhymix\Framework\Exceptions\NotPermitted;
+		}
+
+		// Perform login as the target member
+		Rhymix\Framework\Session::login($member_info->member_srl);
+		$oMemberController = getController('member');
+		$oMemberController->setSessionInfo();
+
+		$this->setRedirectUrl(getNotEncodedUrl(''));
+	}
 }
 /* End of file member.admin.controller.php */
 /* Location: ./modules/member/member.admin.controller.php */
--- a/modules/member/tpl/member_list.html
+++ b/modules/member/tpl/member_list.html
@ -97,7 +97,12 @@
 					{zdate($member_info['last_login'], 'Y-m-d')}
 				</td>
 				<td class="rx_detail_marks">{$member_info['group_list']}&nbsp;</td>
-				<td class="nowr"><a href="{getUrl('', 'module', 'admin', 'act', 'dispMemberAdminInsert', 'member_srl', $member_info['member_srl'])}">{$lang->inquiry}/{$lang->cmd_modify}</a></td>
+				<td class="nowr">
+					<a href="{getUrl('', 'module', 'admin', 'act', 'dispMemberAdminInsert', 'member_srl', $member_info['member_srl'])}">{$lang->inquiry}/{$lang->cmd_modify}</a>
+					<!--@if($member_info['is_admin'] != 'Y')-->
+					<a href="#" class="_login_as" data-member-srl="{$member_info['member_srl']}">{$lang->cmd_login_as}</a>
+					<!--@end-->
+				</td>
 				{@$used_values = ''}
 				<!--@foreach($usedIdentifiers as $name=>$title)-->
 					{@$used_values .= "\t".$member_info[$name]}
@ -245,5 +250,19 @@ jQuery(function($){
 			}
 		}
 	});
+	// Login as member
+	$('a._login_as').click(function(e){
+		e.preventDefault();
+		if(!confirm('{$lang->msg_confirm_login_as}')) return;
+		var member_srl = $(this).data('member-srl');
+		var $form = $('#loginAsForm');
+		$form.find('input[name=member_srl]').val(member_srl);
+		$form.submit();
+	});
 });
 </script>
+<form id="loginAsForm" action="./" method="post" style="display:none">
+	<input type="hidden" name="module" value="member" />
+	<input type="hidden" name="act" value="procMemberAdminLoginAs" />
+	<input type="hidden" name="member_srl" value="" />
+</form>