Fix "log as user" functionality - convert GET to POST requests (#139)

* Initial plan

* Fix log as user functionality - convert GET to POST

Co-authored-by: alexeygrigorev <875246+alexeygrigorev@users.noreply.github.com>

* Add security check - prevent staff from impersonating other staff

Co-authored-by: alexeygrigorev <875246+alexeygrigorev@users.noreply.github.com>

* Improve code readability - convert lambda to named function

Co-authored-by: alexeygrigorev <875246+alexeygrigorev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: alexeygrigorev <875246+alexeygrigorev@users.noreply.github.com>

Author: Copilot

cadmin/templates/cadmin/homework_submissions.html

@@ -70,11 +70,13 @@ <h2>{{ homework.title }} - Submissions</h2>
         </td>
         {% endfor %}
         <td>
-          <a href="/admin/login/user/{{ data.submission.student.id }}/?next={% url 'cadmin_homework_submissions' course.slug homework.slug %}" 
-             class="btn btn-sm btn-info" 
-             title="Log in as {{ data.submission.student.email }}">
-            <i class="fas fa-user-circle"></i> Log in as
-          </a>
+          <form method="post" action="{% url 'loginas-user-login' data.submission.student.id %}" style="display: inline;">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{% url 'cadmin_homework_submissions' course.slug homework.slug %}">
+            <button type="submit" class="btn btn-sm btn-info" title="Log in as {{ data.submission.student.email }}">
+              <i class="fas fa-user-circle"></i> Log in as
+            </button>
+          </form>
         </td>
       </tr>
       {% endfor %}

cadmin/templates/cadmin/project_submissions.html

@@ -95,11 +95,13 @@ <h2>{{ project.title }} - Submissions</h2>
           <a href="{% url 'cadmin_project_submission_edit' course.slug project.slug submission.id %}" class="btn btn-sm btn-primary">
             <i class="fas fa-edit"></i> Edit
           </a>
-          <a href="/admin/login/user/{{ submission.student.id }}/?next={% url 'cadmin_project_submissions' course.slug project.slug %}" 
-             class="btn btn-sm btn-info" 
-             title="Log in as {{ submission.student.email }}">
-            <i class="fas fa-user-circle"></i> Log in as
-          </a>
+          <form method="post" action="{% url 'loginas-user-login' submission.student.id %}" style="display: inline;">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{% url 'cadmin_project_submissions' course.slug project.slug %}">
+            <button type="submit" class="btn btn-sm btn-info" title="Log in as {{ submission.student.email }}">
+              <i class="fas fa-user-circle"></i> Log in as
+            </button>
+          </form>
         </td>
       </tr>
       {% endfor %}

cadmin/tests/test_views.py

@@ -418,3 +418,59 @@ def test_project_assign_reviews_shows_message(self):
         # Check that a message was added
         messages = list(response.context['messages'])
         self.assertEqual(len(messages), 1)
+
+    def test_log_as_user_requires_post_request(self):
+        """Test that the log as user endpoint requires a POST request"""
+        self.client.login(username="admin@test.com", password="admin123")
+        
+        # Try to access the endpoint with GET - should fail
+        url = f"/admin/login/user/{self.user.id}/"
+        response = self.client.get(url)
+        
+        # Should return 405 Method Not Allowed
+        self.assertEqual(response.status_code, 405)
+
+    def test_log_as_user_with_post_request(self):
+        """Test that staff can log in as another user with POST request"""
+        self.client.login(username="admin@test.com", password="admin123")
+        
+        # Create enrollment for the user
+        Enrollment.objects.create(
+            student=self.user,
+            course=self.course,
+        )
+        
+        # Verify we're logged in as admin
+        self.assertEqual(self.client.session['_auth_user_id'], str(self.admin_user.id))
+        
+        # Try to log in as the user with POST
+        url = f"/admin/login/user/{self.user.id}/"
+        response = self.client.post(url)
+        
+        # Should redirect to a page (the login redirect)
+        self.assertEqual(response.status_code, 302)
+        
+        # After the POST, we should be logged in as the user
+        # (The session should have changed to the target user)
+        # Note: django-loginas stores the original user in a different session key
+        # and switches the current user to the target user
+
+    def test_staff_cannot_impersonate_other_staff(self):
+        """Test that staff users cannot impersonate other staff users"""
+        # Create another staff user
+        other_staff = User.objects.create_user(
+            username="staff2@test.com",
+            email="staff2@test.com",
+            password="staff123",
+            is_staff=True,
+        )
+        
+        self.client.login(username="admin@test.com", password="admin123")
+        
+        # Try to log in as another staff user with POST
+        url = f"/admin/login/user/{other_staff.id}/"
+        response = self.client.post(url, follow=True)
+        
+        # Should be redirected back with an error message
+        # Check that we're still logged in as the original admin user
+        self.assertEqual(response.wsgi_request.user.username, "admin@test.com")

course_management/settings.py

@@ -308,6 +308,27 @@
     }
 }
 
+
+# django-loginas settings
+def can_login_as(request, target_user):
+    """
+    Determine if the current user can impersonate another user.
+    
+    Staff users can impersonate regular users (students) but cannot
+    impersonate other staff members or superusers for security reasons.
+    
+    Args:
+        request: The current HTTP request
+        target_user: The user to be impersonated
+        
+    Returns:
+        bool: True if impersonation is allowed, False otherwise
+    """
+    return request.user.is_staff and not target_user.is_staff
+
+
+CAN_LOGIN_AS = can_login_as
+
 # Unfold Configurations
 UNFOLD = {
     "SITE_HEADER": _("Course Management"),