Skip to content

Allow admin users to impersonate any user

Sam Sehnert requested to merge feature/admin_impersonation into master

What I did

  • If you’re an admin user, you can perfectly impersonate any user.
  • When impersonating, add a small impersonation icon to the bottom right of the window.

Implications

This messes with user sessions and gives broad ranging ability to pretend to be someone else. We may need to take care testing this. This hasn't been tested with session timeouts. Only developers will have this power, so shouldn't be required.

How to test

  • Find any other user ID
  • Go to /auth/impersonate/{user_id}
  • Ensure you're now logged in as that user, and have all their permissions
  • Check that you have a small icon in the bottom right, with a tooltip saying "Stop Impersonating X"
  • Ensure that clicking that icon restores your admin user session

Merge request reports