diff --git a/django_su/utils.py b/django_su/utils.py
index 160993b..532832b 100644
--- a/django_su/utils.py
+++ b/django_su/utils.py
@@ -5,7 +5,43 @@
 
 from django.conf import settings
 from django.utils.module_loading import import_string
+from django.contrib.auth import (
+    BACKEND_SESSION_KEY,
+    SESSION_KEY,
+    authenticate,
+    login,
+)
 
+def su_in(request, user_id):
+    '''
+    Returns: a User Object or None
+    '''
+    if not request.user.has_perm("auth.change_user"):
+        return None
+
+    userobj = authenticate(request=request, su=True, user_id=user_id)
+    if not userobj:
+        return None
+
+    exit_users_pk = request.session.get("exit_users_pk", default=[])
+    exit_users_pk.append(
+        (request.session[SESSION_KEY], request.session[BACKEND_SESSION_KEY])
+    )
+
+    maintain_last_login = hasattr(userobj, "last_login")
+    if maintain_last_login:
+        last_login = userobj.last_login
+
+    try:
+        if not custom_login_action(request, userobj):
+            login(request, userobj)
+        request.session["exit_users_pk"] = exit_users_pk
+    finally:
+        if maintain_last_login:
+            userobj.last_login = last_login
+            userobj.save(update_fields=["last_login"])
+
+        return userobj
 
 def su_login_callback(user):
     if hasattr(settings, "SU_LOGIN"):
diff --git a/django_su/views.py b/django_su/views.py
index 1293232..89f2884 100644
--- a/django_su/views.py
+++ b/django_su/views.py
@@ -4,9 +4,6 @@
 
 from django.conf import settings
 from django.contrib.auth import (
-    BACKEND_SESSION_KEY,
-    SESSION_KEY,
-    authenticate,
     get_user_model,
     login,
 )
@@ -17,7 +14,7 @@
 from django.views.decorators.http import require_http_methods
 
 from .forms import UserSuForm
-from .utils import custom_login_action, su_login_callback
+from .utils import custom_login_action, su_login_callback, su_in
 
 
 User = get_user_model()
@@ -27,28 +24,9 @@
 @require_http_methods(["POST"])
 @user_passes_test(su_login_callback)
 def login_as_user(request, user_id):
-    userobj = authenticate(request=request, su=True, user_id=user_id)
-    if not userobj:
+    if not su_in(request, user_id):
         raise Http404("User not found")
 
-    exit_users_pk = request.session.get("exit_users_pk", default=[])
-    exit_users_pk.append(
-        (request.session[SESSION_KEY], request.session[BACKEND_SESSION_KEY])
-    )
-
-    maintain_last_login = hasattr(userobj, "last_login")
-    if maintain_last_login:
-        last_login = userobj.last_login
-
-    try:
-        if not custom_login_action(request, userobj):
-            login(request, userobj)
-        request.session["exit_users_pk"] = exit_users_pk
-    finally:
-        if maintain_last_login:
-            userobj.last_login = last_login
-            userobj.save(update_fields=["last_login"])
-
     if hasattr(settings, "SU_REDIRECT_LOGIN"):
         warnings.warn(
             "SU_REDIRECT_LOGIN is deprecated, use SU_LOGIN_REDIRECT_URL",