Impersonate user/Run as within workflow?

Hi guys, so, my client insists that he needs to impersonate his users to make onboarding and testing simpler.

I know we have it as “Run as” on the database, but I was trying to create that within the admin dashboard, which worked in the version-test (pure much grabbing the link the “run as” had and giving to the button). But, as I figure**, it didn’t go for live**. Did anybody got a way around this issue?

Error after 2 days:


I’m 75% sure that Bubble checks the referer when you’re trying to visit the URL you’re trying to visit and prevents access to people that aren’t specifically coming from the Bubble editor. :pensive: Please someone correct me if I’m wrong!

1 Like

I have had similar needs in the past – We call it “Shadowing” - Where an administrator can “shadow” another user in the software.

Unfortunately in Bubble this is incredibly challenging since you don’t have access to someone’s password.

In my situation, I know this is frowned upon big time… but I created a separate password field with the password they enter and place there when they sign up. Then, I use privacy rules on that column to ensure that no one but admin can pull the password for a user. Finally, I hide the password between 2 random generated hashes. It’s the best I can do with this limitation. (Edit: One other thing I do as well is I don’t call the field password… I call it something unrelated… that way, if anyone does get access to my database, they won’t know it’s actually storing a password in it lol.)

Is this the most secure? No. But luckily in my case, our apps don’t have sensitive info or credit card info, so I had to work this for my client.

I am sure there are others who have cracked this in a more secure manner - I’ll be eagerly watching this thread because I would like to know how to do this correctly and safely.

1 Like

Appreciate your idea, Its a really creative one.
In our app, I’m thinking on remodeling all calls related to current user.

So, I could show a searchbox input for admins in the dashboard for them to select an user. And then, every single call in the ERP would first call that input (instead of “current user’s email”, would be “searchbox input user’s email” + when empty = current user). It will take some time to redo probably 300+ calls, but it won’t mess the password and social logins.

I’m a bit worried about WU’s and server consumption with that input condition validating every single load on every single user, but lets see what happens…

This topic was automatically closed after 70 days. New replies are no longer allowed.