From 3eedf7f2a4939cd3a6b6f0461220704610e03edb Mon Sep 17 00:00:00 2001
From: Eric Allam <eallam@icloud.com>
Date: Tue, 17 Feb 2026 08:18:59 +0000
Subject: [PATCH 1/2] feat(webapp): require the user is an admin during an
 impersonation session

---
 apps/webapp/app/services/session.server.ts | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/webapp/app/services/session.server.ts b/apps/webapp/app/services/session.server.ts
index 70450afb694..ea6831265c7 100644
--- a/apps/webapp/app/services/session.server.ts
+++ b/apps/webapp/app/services/session.server.ts
@@ -6,7 +6,18 @@ import { getImpersonationId } from "./impersonation.server";
 export async function getUserId(request: Request): Promise<string | undefined> {
   const impersonatedUserId = await getImpersonationId(request);
 
-  if (impersonatedUserId) return impersonatedUserId;
+  if (impersonatedUserId) {
+    // Verify the real user (from the session cookie) is still an admin
+    const authUser = await authenticator.isAuthenticated(request);
+    if (authUser?.userId) {
+      const realUser = await getUserById(authUser.userId);
+      if (realUser?.admin) {
+        return impersonatedUserId;
+      }
+    }
+    // Admin revoked or session invalid — fall through to return the real user's ID
+    return authUser?.userId;
+  }
 
   let authUser = await authenticator.isAuthenticated(request);
   return authUser?.userId;
@@ -54,7 +65,7 @@ export async function requireUser(request: Request) {
       dashboardPreferences: user.dashboardPreferences,
       confirmedBasicDetails: user.confirmedBasicDetails,
       mfaEnabledAt: user.mfaEnabledAt,
-      isImpersonating: !!impersonationId,
+      isImpersonating: !!impersonationId && impersonationId === userId,
     };
   }
 

From ade5e92deb04e8e8c533853c1a820ebcf9d86c7b Mon Sep 17 00:00:00 2001
From: Eric Allam <eallam@icloud.com>
Date: Wed, 25 Feb 2026 16:06:54 +0000
Subject: [PATCH 2/2] Add server changeset

---
 .server-changes/require-admin-during-impersonation.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .server-changes/require-admin-during-impersonation.md

diff --git a/.server-changes/require-admin-during-impersonation.md b/.server-changes/require-admin-during-impersonation.md
new file mode 100644
index 00000000000..18a3145528d
--- /dev/null
+++ b/.server-changes/require-admin-during-impersonation.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Require the user is an admin during an impersonation session. Previously only the impersonation cookie was checked; now the real user's admin flag is verified on every request. If admin has been revoked, the session falls back to the real user's ID.