authenticate: hide impersonation form from non-admin users (#979)

Fixes #881
2025-08-02 08:19:23 +02:00 · 2020-06-23 22:09:33 +07:00 · 2020-06-23 22:09:33 +07:00 · fb4dfaea44
commit fb4dfaea44
parent fa40ff1f77
6 changed files with 47 additions and 14 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -458,6 +458,11 @@ func (a *Authenticate) deleteSession(ctx context.Context, sessionID string) erro
 	return err
 }

+func (a *Authenticate) isAdmin(user string) bool {
+	_, ok := a.administrator[user]
+	return ok
+}
+
 // Dashboard renders the /.pomerium/ user dashboard.
 func (a *Authenticate) Dashboard(w http.ResponseWriter, r *http.Request) error {
 	s, err := a.getSessionFromCtx(r.Context())
@ -494,6 +499,7 @@ func (a *Authenticate) Dashboard(w http.ResponseWriter, r *http.Request) error {
 		"ImpersonateEmail":  urlutil.QueryImpersonateEmail,
 		"ImpersonateGroups": urlutil.QueryImpersonateGroups,
 		"RedirectURL":       r.URL.Query().Get(urlutil.QueryRedirectURI),
+		"IsAdmin":           a.isAdmin(pbUser.Email),
 	}

 	if redirectURL, err := url.Parse(r.URL.Query().Get(urlutil.QueryRedirectURI)); err == nil {