Users with sufficient access (controlled by the $g_impersonate_user_threshold configuration option, default: ADMINISTRATOR) can make REST API calls on behalf of another user. Typical use cases include:
Reproducing an issue as reported by a specific user
Testing a user's access to projects, issues, and fields
Performing operations on behalf of a service account
To impersonate a user, include the X-Mantis-Username HTTP request header with the username of the target user. The following constraints apply:
The caller must authenticate with an API token (the Authorization header). Impersonation is not available with cookie or anonymous authentication.
The caller must have the access level defined by $g_impersonate_user_threshold.
A user cannot impersonate themselves.
A user cannot impersonate another user whose access level is higher than their own.
The target user must be a valid, enabled user.
Every REST API response includes the following informational headers:
X-Mantis-Username
The username under which the request was executed. When impersonation is active, this reflects the impersonated user's username rather than the caller's.
X-Mantis-LoginMethod
The authentication method used for the request. Possible values are api-token, cookie, and anonymous.
