=== Login as User or Customer — User Switching ===
Contributors: wp-buy, mohmmedalagha, osamaesh
Tags: user switching, login as user, login as customer, switch user, WooCommerce, fast user switching
Requires at least: 5.0
Tested up to: 6.9.4
Requires PHP: 7.4
Stable tag: 4.1.0
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Instant user switching for WordPress — switch to any user account in one click, with full WooCommerce support for customer service teams.

== Description ==

**Login as User or Customer** is a powerful user switching plugin that lets admins and support staff instantly switch into any user account — without knowing their password. It's the fastest way to see exactly what your customer sees, troubleshoot issues, and provide hands-on support directly from your WordPress dashboard.

> **WooCommerce store owners:** This plugin is purpose-built for you. Switch to a customer from the Orders screen, manage their cart, and create orders on their behalf — ideal for phone orders and assisted sales. WooCommerce features require the [Pro version](https://www.wp-buy.com/product/login-as-customer-or-user-pro/).

[vimeo https://vimeo.com/584505898]

= Who is this for? =

* **WooCommerce stores** — assist customers with orders, cart issues, and account problems without asking for their password
* **Membership sites** — verify what members see after logging in
* **Agencies & developers** — test roles and permissions across any user account instantly
* **Support teams** — reproduce customer-reported bugs in one click

= Free Features =

* **One-click user switching** — switch to any non-admin account from the Users screen
* **Switch from user profile** — Login As button on the Edit User screen
* **Go Back in one click** — a persistent bar on the front end returns you to your original account instantly
* **No password needed** — access any account without exposing credentials
* **Role-based access control** — choose which roles are allowed to use the switch feature
* **2FA compatible** — works alongside most two-factor authentication plugins
* **Multisite compatible** — works on WordPress network installations
* **Nonce-protected** — every switch action is verified with a WordPress nonce
* **Secure session storage** — switch state stored server-side using WordPress transients, not exposed cookies

= Pro Features =

* ⭐ **WooCommerce Orders page** — Login As button next to every order
* ⭐ **WooCommerce Order detail** — switch to the customer from the single order screen
* ⭐ **Cart management** — add, remove, and edit products in the customer's cart
* ⭐ **Create orders on behalf of customers** — perfect for phone and assisted sales
* ⭐ **Advanced role management** — granular control over who can switch to whom
* ⭐ **Custom redirect URL** — choose where you land after switching
* ⭐ **Activity log** — track every switch action for auditing purposes
* ⭐ **Shortcode support** — place Login As buttons anywhere on your site

[Upgrade to Pro →](https://www.wp-buy.com/product/login-as-customer-or-user-pro/)

= How It Works =

1. Go to **Users** in your WordPress admin
2. Click **Login as this user** next to any non-admin account
3. You are instantly switched into that account — no password required
4. Browse the site as that user
5. Click **Go back** in the bar at the bottom of the screen to return to your admin account

= Security =

Security is the foundation of this plugin. Every action is protected by multiple layers:

* **Nonce verification** on every switch and return action
* **Capability checks** — only users with `edit_users`, `manage_options`, or `manage_woocommerce` can switch
* **Admin account protection** — switching into administrator accounts is blocked
* **Server-side session storage** — switch state stored in WordPress transients with a 1-hour TTL that refreshes on every page load
* **HttpOnly + SameSite=Lax cookies** — session tokens protected against XSS and CSRF
* **No data sharing** — no data is sent to any external service

Security vulnerabilities are managed through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/login-as-customer-or-user). All reported issues are reviewed, patched, and disclosed responsibly.

= Privacy =

This plugin does not send data to any third party, does not include any third-party resources, and never will.

The plugin uses a single browser cookie (`loginas_session_token`) to identify the current switch session. The cookie stores only a random 64-character token — no user data. The actual session data (user IDs) is stored server-side in WordPress transients.

= Compatibility =

* WordPress 5.0+
* WordPress Multisite
* WooCommerce (Pro)
* PHP 7.4, 8.0, 8.1, 8.2, 8.3
* Compatible with most 2FA and security plugins

== Installation ==

**From the WordPress dashboard:**

1. Go to **Plugins → Add New**
2. Search for **Login as User or Customer**
3. Click **Install Now** then **Activate**
4. Visit **Login AS** in the admin menu to configure settings

**Manual installation:**

1. Download `login-as-customer-or-user.zip`
2. Go to **Plugins → Add New → Upload Plugin**
3. Upload the zip and click **Activate Plugin**

== Frequently Asked Questions ==

= Who can switch user accounts? =

Only users with the `edit_users`, `manage_options`, or `manage_woocommerce` capability. You can further restrict this to specific roles in the plugin settings under **Login AS → Settings**.

= Can I switch into an administrator account? =

No. Switching into any account with administrator-level capabilities (`edit_users` or `manage_options`) is blocked for security reasons.

= How do I switch back to my original account? =

A bar appears at the bottom of the page while you are switched in. Click **Go back** to return to your original admin account instantly.

= Does this work with WooCommerce? =

Yes — WooCommerce features are available in the [Pro version](https://www.wp-buy.com/product/login-as-customer-or-user-pro/). This includes a Login As button on the orders list, a meta box on the single order screen, cart management, and the ability to create orders on behalf of customers.

= Does this work with two-factor authentication (2FA)? =

Yes. The plugin is compatible with most 2FA solutions. The 2FA prompt is bypassed when switching because you authenticate as the admin, not the target user.

= Does this work on WordPress Multisite? =

Yes. The plugin works on Multisite installations.

= What happens if I close my browser while switched in? =

The switch session is stored as a WordPress transient with a 1-hour TTL that refreshes on every page load. If the transient expires or is evicted from the cache, the session ends and you will be returned to a normal logged-out state. Simply log back into your admin account.

= Does the plugin send any data externally? =

No. The plugin does not send data to any third party, does not include any third-party resources, and does not use external APIs.

= How can I report security bugs? =

You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. [Report a security vulnerability.]( https://patchstack.com/database/vdp/40615b8f-1f6a-4c82-8567-1e2f4dd0689c )

== Screenshots ==

1. Users page — Login As button next to each user
2. WooCommerce orders page — Login As column (Pro)
3. Front-end notice bar — shown while switched into another account

== Security ==

This plugin is enrolled in the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/login-as-customer-or-user).

To report a security vulnerability, please use the Patchstack mVDP link above. Do not report security issues through the WordPress support forum.

== Changelog ==

= v 4.1.0 =
* New: Redesigned settings page with modern UI
* New: "Enable Plugin In" section — control where the Login As button appears (Users Page / User Profile Page)
* New: User Profile Page now shows a Login As button directly on the Edit User screen


= v 4.0.0 =
* Fixed: "Go back" button failed for editors and non-admin roles — the capability check was incorrectly applied to the switched-in user instead of the original admin
* Improved: Session TTL refreshes on every page load — session stays alive while user is active
* Improved: Cookie domain now respects WordPress COOKIE_DOMAIN constant
* Improved: Pro upgrade notice in WooCommerce uses a clear badge instead of a broken link
* Improved: Review notice waits 7 days after activation before appearing

= v 3.9.1 =
* Security hardening for the user switching workflow
* Removed insecure cookie/session-based account switching
* Added nonce and capability checks for all switch and return actions
* Restricted switching to non-privileged target accounts only
* Implemented secure server-side session storage using WordPress transients
* Added proper session cleanup on logout and switch-back

= v 3.7 =
* Removing unwanted images
* Fixed return to admin function - hot fix 3

= v 3.6 =
* Fixed return to admin issue - hot fix 2

= v 3.5 =
* Fixed return to admin issue - hot fix
* New responsive interface

= v 3.3 =
* Security bug fixes

= v 3.2 =
* Bug fixes and styling improvements

= v 3.1 =
* Updated tested up to

= v 2.9 =
* Bug fixing in users and orders page

= v 2.8 =
* Bug fixing in user switching with 2FA

= v 2.7 =
* Bug fixing in users page and WooCommerce orders page

= v 2.6 =
* Bug fixing in users page (remove limitation)
* Adding new option — Go Back button position

= v 2.5 =
* Bug fixing in button position

= v 2.4 =
* Adding Spanish (Argentina) translation by Mr. gnukleo

= v 2.3 =
* Bug fixing in the WooCommerce cart

= v 2.2 =
* Enable plugin for Admin by default

= v 2.1 =
* Code fixes

= v 1.9 =
* Bug fixing in permissions — editor can no longer switch to admin
* Bug fixing in plugin options Roles section

= v 1.8 =
* Bug fixing in the AJAX request

= v 1.7 =
* Change logout box location from top to left
* Redirect admin to the correct page after logout

= v 1.6 =
* Adding wp-buy control panel page

= v 1.5 =
* Bug fixing in the orders page and users page

= v 1.4 =
* Bug fixing in CSS z-index issue

= v 1.3 =
* Adding Vote message

= v 1.2 =
* Bug fixes in the Login as user message

= v 1.1 =
* First beta release
