[admin] allow impersonation for superusers, for debigging purposes

routes/admin.vue

@@ -56,6 +56,7 @@
                         <template v-slot:row="s">
                             <td>
                                 <a :href="'https://pronouns.page/@' + s.el.username">@{{s.el.username}}</a>
+                                <a href="#" class="badge bg-primary text-white" @click.prevent="impersonate(s.el.username)"><Icon v="user-secret"/></a>
                             </td>
                             <td>
                                 {{$datetime($ulidTime(s.el.id))}}

server/routes/user.js

@@ -550,8 +550,14 @@ router.get('/user/logout-universal', handleErrorAsync(async (req, res) => {
     return res.json('Token removed');
 }));
 
+const canImpersonate = (req) => {
+    return req.isGranted('*') || (
+        req.isGranted('users') && ['example@pronouns.page'].includes(req.params.email)
+    );
+}
+
 router.get('/admin/impersonate/:email', handleErrorAsync(async (req, res) => {
-    if (!req.isGranted('users') || !['example@pronouns.page'].includes(req.params.email)) {
+    if (!canImpersonate(req)) {
         return res.status(401).json({error: 'Unauthorised'});
     }