Admins automatically impersonate runs

matt-aitken

·Mar 18, 2026·#3144Impersonating run and clearing fix

Admin users viewing runs at /runs/<run_id> now automatically impersonate that run, letting them see exactly what end users see without manual setup.

Admins debugging user-reported issues previously needed to manually start an impersonation session before viewing a run. Now when an admin visits a run URL directly — say /runs/abc123 — the system detects their admin status and automatically impersonates that run, redirecting them to the impersonated view.

The system also handles edge cases cleanly. If an admin is already impersonating one user and visits a different run, the previous impersonation is cleared before the new one begins. This prevents mixed or confusing session states.

The implementation lives in the webapp's routing layer. A new route at /runs/:runParam validates admin access, looks up the run's project and environment details, then redirects to an impersonated path using the /@ prefix convention.

A related fix corrects how impersonation logging works: when stopping an impersonation session, the system now correctly records the admin's ID rather than the impersonated user's ID.

View Original GitHub DescriptionFact Check

Fact Check Notice: The PR description omits a bugfix: the clearImpersonation function was logging the wrong user ID (the impersonated target instead of the admin) due to using requireUser instead of authenticator.isAuthenticated. This is visible in the admin.server.ts changes.

Automatically impersonate a run when visiting /runs/<run_id> if an admin is logged in
Clear existing impersonation when switching