Add server changeset

ericallam · ericallam · commit ade5e92deb04 · 2026-02-25T16:06:54.000Z
diff --git a/.server-changes/require-admin-during-impersonation.md b/.server-changes/require-admin-during-impersonation.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Require the user is an admin during an impersonation session. Previously only the impersonation cookie was checked; now the real user's admin flag is verified on every request. If admin has been revoked, the session falls back to the real user's ID.
