From 399ed2be5bb2dbf0807e7d1ea47f35b72873f475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Rogier?= Date: Thu, 27 Aug 2020 16:39:26 +0200 Subject: [PATCH] Add documentation about impersonating users with an HTTP Header --- security/impersonating_user.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/impersonating_user.rst b/security/impersonating_user.rst index 634052722a5..308ed5b1e58 100644 --- a/security/impersonating_user.rst +++ b/security/impersonating_user.rst @@ -72,6 +72,11 @@ as the value to the current URL: http://example.com/somewhere?_switch_user=thomas +.. tip:: + + Instead of adding a ``_switch_user`` query string parameter, you can pass + the username in a ``HTTP_X_SWITCH_USER`` header. + To switch back to the original user, use the special ``_exit`` username: .. code-block:: text @@ -197,7 +202,7 @@ Limiting User Switching If you need more control over user switching, you can use a security voter. First, configure ``switch_user`` to check for some new, custom attribute. This can be -anything, but *cannot* start with ``ROLE_`` (to enforce that only your voter will +anything, but *cannot* start with ``ROLE_`` (to enforce that only your voter will be called): .. configuration-block::