Prevent Chaining Impersonations
Summary
GitLab currently allows an admin to impersonate another admin. The user can then further impersonate another user. GitLab should prevent chaining impersonations.
Auditing is really important for some specific applications we develop (think PCI/SOX/HIPPA/etc scoped apps) Because those apps require tight auditing controls, the SCM that contains those apps must also have really good auditing. In my opinion, there is no use-case that supports an admin impersonating another admin, so that might be a quick way to fix that bug, but if you are going to permit admins impersonating admins, then it shouldn’t allow chaining impersonations. It simply makes a mess of the audit trail, something that would become a problem for us if our auditors required evidence in that chain.
This is related to #28587 (closed) but not the same issue. The request here is the disallow the chained impersonation.