Add Users#disguise/#revert

app/controllers/users_controller.rb

@@ -1,8 +1,13 @@
 class UsersController < ApplicationController
-  before_action :find_user, only: [:show]
-  before_action do
+  helper_method :allow_disguise?
+
+  before_action :find_user, only: [:show, :disguise]
+  before_action except: :revert do
     raise AccessForbidden unless current_user.at_least(:admin)
   end
+  before_action only: :revert do
+    raise AccessForbidden unless current_user_disguised?
+  end
 
   def index
     @users = User.all
@@ -11,16 +16,35 @@ class UsersController < ApplicationController
   def show
   end
 
+  def disguise
+    raise ActionController::BadRequest unless allow_disguise?(@user)
+    session[:revert_to_id] = current_user.id
+    bypass_sign_in(@user)
+    redirect_to root_url
+  end
+
+  def revert
+    @user = User.find(session.delete(:revert_to_id))
+    bypass_sign_in(@user)
+    redirect_to users_url
+  end
+
   # TODO: add #update to change user status
-  # TODO: add #become/#revert to change to user view
 
   # NOTE: limited actions availabe to :admin by design. Users are meant to
   # manage their accounts by themselves through registrations. In future :admin
   # may be allowed to sing-in as user and make changes there.
 
+  protected
+
+  def allow_disguise?(user)
+    user&.confirmed? && (user != current_user) && !current_user_disguised?
+  end
+
   private
 
   def find_user
     @user = User.find(params[:id])
   end
+
 end