Impersonation prevent the redirect when admin session expired (#865)

app/admin/user.rb

@@ -3,6 +3,15 @@
 ActiveAdmin.register User do
   permit_params :email, :first_name, :last_name, :username, :password, :password_confirmation
 
+  if ENV['IMPERSONATION_URL'].present?
+    member_action :impersonate, method: :post do
+      signed_data = Impersonation::Verifier.new.sign!(
+        user_id: resource.id, admin_user_id: current_admin_user.id
+      )
+      redirect_to "#{ENV.fetch('IMPERSONATION_URL')}?auth=#{signed_data}", allow_other_host: true
+    end
+  end
+
   form do |f|
     f.inputs 'Details' do
       f.input :email
@@ -55,18 +64,9 @@
   end
 
   if ENV['IMPERSONATION_URL'].present?
-    action_item :user_impersonation, only: :show do
-      signed_data = Impersonation::Verifier.new.sign!(
-        user_id: resource.id, admin_user_id: current_admin_user.id
-      )
-
-      link_to_if Flipper[:impersonation_tool].enabled?,
-                 "
-                  <span class=\"#{'disabled_impersonate_button' unless Flipper[:impersonation_tool].enabled?}\">
-                    Impersonate User
-                  </span>
-                 ".html_safe, # rubocop:disable Rails/OutputSafety
-                 "#{ENV.fetch('IMPERSONATION_URL')}?auth=#{signed_data}"
+    action_item :user_impersonation, only: :show, if: proc { Flipper.enabled?(:impersonation_tool) } do
+      link_to 'Impersonate User', impersonate_admin_user_path(resource), method: :post,
+                                                                         target: '_blank', rel: 'noopener'
     end
   end
 end

app/policies/admin/user_policy.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
 module Admin
-  class UserPolicy < Admin::ApplicationPolicy; end
+  class UserPolicy < Admin::ApplicationPolicy
+    def impersonate?
+      create? && Flipper.enabled?(:impersonation_tool)
+    end
+  end
 end

spec/policies/admin/user_policy_spec.rb

@@ -11,4 +11,21 @@
       expect(subject).to permit(admin, user)
     end
   end
+
+  permissions :impersonate? do
+    let(:admin) { create(:admin_user) }
+    let(:user)  { create(:user) }
+
+    it 'allow access when impersonate_tool is enable' do
+      allow(Flipper).to receive(:enabled?).with(:impersonation_tool).and_return(true)
+
+      expect(subject).to permit(admin, user)
+    end
+
+    it 'denies access when impersonate_tool is disable' do
+      allow(Flipper).to receive(:enabled?).with(:impersonation_tool).and_return(false)
+
+      expect(subject).not_to permit(admin, user)
+    end
+  end
 end