triggerdotdev · ericallam · Feb 25, 2026 · Feb 17, 2026 · Feb 25, 2026
diff --git a/.server-changes/require-admin-during-impersonation.md b/.server-changes/require-admin-during-impersonation.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Require the user is an admin during an impersonation session. Previously only the impersonation cookie was checked; now the real user's admin flag is verified on every request. If admin has been revoked, the session falls back to the real user's ID.
diff --git a/apps/webapp/app/services/session.server.ts b/apps/webapp/app/services/session.server.ts
@@ -6,7 +6,18 @@ import { getImpersonationId } from "./impersonation.server";
 export async function getUserId(request: Request): Promise<string | undefined> {
   const impersonatedUserId = await getImpersonationId(request);
 
-  if (impersonatedUserId) return impersonatedUserId;
+  if (impersonatedUserId) {
+    // Verify the real user (from the session cookie) is still an admin
+    const authUser = await authenticator.isAuthenticated(request);
+    if (authUser?.userId) {
+      const realUser = await getUserById(authUser.userId);
+      if (realUser?.admin) {
+        return impersonatedUserId;
+      }
+    }
+    // Admin revoked or session invalid — fall through to return the real user's ID
+    return authUser?.userId;
+  }
 
   let authUser = await authenticator.isAuthenticated(request);
   return authUser?.userId;
@@ -54,7 +65,7 @@ export async function requireUser(request: Request) {
       dashboardPreferences: user.dashboardPreferences,
       confirmedBasicDetails: user.confirmedBasicDetails,
       mfaEnabledAt: user.mfaEnabledAt,
-      isImpersonating: !!impersonationId,
+      isImpersonating: !!impersonationId && impersonationId === userId,
     };
   }