I have a Rails app and need to implement a "universal" or "skeleton key" password using AuthLogic

I have the AuthLogic plugin installed in my RoR app. I not creating an app that needs to be high security. But开发者_开发知识库 I would like it if admins can log in as a particular user without having to know each and every one of their passwords.

I cannot find where AuthLogic actually validates the entered password upon login.

Anyone have any recommendations or advice as to the best method?

Validation happens in the Authlogic::Session::Password module.

If you wanted to override the default behavior, you would do the following:

class UserSession < Authlogic::Session::Base
  verify_password_method :my_verify_method
  private
    def my_verify_method
      if admin_user? # method that checks to see if the current user is an admin
        true
      else
        valid_password? # use default valid password method
      end
end    

I would suggest the following. First you have to be logged in as an administrator, otherwise anybody could login if they would know the magic word.

Then inside your list of users you could show a link that redirects to an action that will log the currently logged in admin as that user. This way you can only show that link to the person s with the correct rights.

Logging in in code is actually pretty easy: just do UserSession.create!(user), just the same as you test it, so that should work i assume.