Allow instance admins to impersonate users

[gtsiolis]

Problem to solve

For instance admins, it could be useful to impersonate users so that they can see what a user sees. This can be helpful for debugging issues or helping out users by taking actions on behalf of the user.

See also relevant discussion (internal). Cc @svenefftinge @geropl @jankeromnes

User Flow

1. An instance admin could go into /admin, search for a user, open their profile, and click an Impersonate action button.
2. It should be clear on the user interface when you are impersonating a user.
3. During impersonation it should be clear how to stop impersonating a user.

[securitymirco]

A few thoughts on my end

• we should consider to log who has been impersonated by whom and when as well as what they did/access
• • we might want to make certain logging available to the users / clients as well so they can see when we used that action
• we should consider gathering consent, some web applications adopted that already (e.g. a checkbox with "allow Gitpod Support Staff to access my account" which remains active for a couple of hours of something (ideally just the time we usually need to go in and check what we have to)
• we really need to make sure there are no logical flaws here (e.g. by directly accessing related links), if some unauthorised user can trigger this action we have real problem

[securitymirco]

I would also like to add the following - let's carefully evaluate the business value of this feature request against the potential attack surface we create with that as well as the potential results (information disclosure, reputation damage etc.).

If ever exploited this would have severe consequences and at the same time there is always an uncertainty on introducing possible bugs/vulnerabilities that remain undiscovered (to us).

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.