FEATURE: allow site owners to disable impersonation

config/discourse_defaults.conf

@@ -373,4 +373,7 @@ pg_force_readonly_mode = false
 dns_query_timeout_secs =
 
 # Default global regex timeout
-regex_timeout_seconds = 
+regex_timeout_seconds =
+
+# Allow impersonation function on the cluster to admins
+allow_impersonation = true

lib/guardian.rb

@@ -297,7 +297,7 @@ def can_see_groups_members?(groups)
 
   # Can we impersonate this user?
   def can_impersonate?(target)
-    target &&
+    GlobalSetting.allow_impersonation && target &&
       # You must be an admin to impersonate
       is_admin? &&
       # You may not impersonate other admins unless you are a dev

spec/lib/guardian_spec.rb

@@ -539,6 +539,10 @@
   end
 
   describe "can_impersonate?" do
+    it "disallows impersonation when disabled globally" do
+      global_setting :allow_impersonation, false
+      expect(Guardian.new(admin).can_impersonate?(moderator)).to be_falsey
+    end
     it "allows impersonation correctly" do
       expect(Guardian.new(admin).can_impersonate?(nil)).to be_falsey
       expect(Guardian.new.can_impersonate?(user)).to be_falsey