diff --git a/config/routes.rb b/config/routes.rb
index bc359e6..2535626 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,10 +6,10 @@ Rails.application.routes.draw do
 
   resources :users, only: [:index, :show, :update] do
     member do
-      post :disguise
+      get :disguise
     end
     collection do
-      post :revert
+      get :revert
     end
   end
 
diff --git a/test/system/users_test.rb b/test/system/users_test.rb
index 8a59e71..ed52d30 100644
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@@ -118,7 +118,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_link user.email
   end
 
-  test "disguise disallowed" do
+  test "disguise fails for admin when disallowed" do
     user = users.select(&:admin?).select(&:confirmed?).sample
     sign_in user: user
 
@@ -126,12 +126,15 @@ class UsersTest < ApplicationSystemTestCase
     text = t("users.index.disguise")
     # Pick row without 'disguise' button
     undisguisable = all(:xpath, "//tbody//tr[not(descendant::*[contains(text(),\"#{text}\")])]")
-    within undisguisable.sample do |tr|
-      inject_button_to tr.find('td:last-child'), text,
-        disguise_user_path(User.find_by_email!(first(:link).text))
-      click_on text
-    end
-    assert_title "Bad request received (400)"
+    user_email = undisguisable.sample.first(:link).text
+    visit disguise_user_path(User.find_by_email!(user_email))
+    assert_title 'The change you wanted was rejected (422)'
+  end
+
+  test "disguise forbidden for non admin" do
+    sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
+    visit disguise_user_path(User.all.sample)
+    assert_title 'Access is forbidden to this page (403)'
   end
 
   test "delete profile" do