Impersonate allows enabled users to impersonate the superuser/main admin account

[davehayes]

A superuser/main admin account should never be able to be impersonated.

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Add a "impersonators" group
2. Add one user (call her Alice) to that group
3. Allow this group to impersonate
4. Log in as Alice
5. Alice goes to accounts and selects the superuser as an impersonation target

Expected behaviour

A message should be delivered saying "You may not impersonate the superuser".

Actual behaviour

Alice is now the superuser.

Server configuration

Web server: Nginx

Database: PostgreSQL

PHP version: 8.3

Nextcloud version: 31.0.7 Enterprise(see Nextcloud admin page)

List of activated apps

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - announcementcenter: 7.1.4
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.3.8
  - calendar_resource_management: 0.9.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.2.4
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.2
  - drawio: 3.1.0
  - event_update_notification: 2.6.1
  - external: 6.0.2
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_accesscontrol: 2.0.0
  - files_archive: 1.2.7
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_inotify: 0.2.3
  - files_lock: 31.0.2
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - groupfolders: 19.1.3
  - integration_openproject: 2.9.1
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - metadata: 0.22.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - notify_push: 1.1.0
  - oauth2: 1.19.1
  - onlyoffice: 9.9.0
  - password_policy: 3.0.0
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - security_guard: 2.3.1
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - skyprint: 0.1.7
  - spreed: 21.1.2
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - tables: 0.9.5
  - tasks: 0.16.1
  - text: 5.0.0
  - theming: 2.6.1
  - theming_customcss: 1.18.0
  - thesearchpage: 1.2.12
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_ldap: 1.22.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - whiteboard: 1.1.3
  - workflowengine: 2.13.0
Disabled:
  - auto_groups: 1.6.2 (installed 1.6.2)
  - encryption: 2.19.0
  - files_confidential: 3.3.0 (installed 3.3.0)
  - files_fulltextsearch: 31.0.0 (installed 31.0.0)
  - fulltextsearch: 31.0.0 (installed 31.0.0)
  - fulltextsearch_elasticsearch: 31.0.0 (installed 31.0.0)
  - globalsiteselector: 2.6.1
  - integration_ews: 1.0.37 (installed 1.0.37)
  - recognize: 9.0.3 (installed 9.0.3)
  - recommendations: 4.0.0 (installed 3.0.0)
  - related_resources: 2.0.0 (installed 1.5.0)
  - richdocuments: 8.7.3 (installed 8.7.3)
  - sharebymail: 1.21.0 (installed 1.20.0)
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - user_oidc: 7.3.0 (installed 7.3.0)
  - user_saml: 6.6.0

Nextcloud configuration

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.cirrusav.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.7.2",
        "overwrite.cli.url": "https:\/\/cloud.cirrusav.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": false,
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 1,
        "log_rotate_size": 1048576000,
        "logdateformat": "D, d M y H:i:s O",
        "lost_password_link": "disabled",
        "maintenance_window_start": 100,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "US",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpdebug": "true",
        "maintenance": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "theme": "",
        "app_install_overwrite": [
            "integration_ews"
        ],
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "allow_local_remote_servers": true,
        "updater.server.url": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "enterprise",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "read_timeout": 0,
            "user": "default",
            "password": "***REMOVED SENSITIVE VALUE***",
            "dbindex": 0
        }
    }
}

Browser

Browser name: Any

Operating system: Any