From 786f03d786d04d50c780f2c6febde270f28eae33 Mon Sep 17 00:00:00 2001
From: Lars Holm Nielsen <lars.holm.nielsen@cern.ch>
Date: Tue, 17 Oct 2023 22:36:39 +0200
Subject: [PATCH] session: handle user impersonation

---
 invenio_accounts/sessions.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/invenio_accounts/sessions.py b/invenio_accounts/sessions.py
index 7b1ed589..ef1070b4 100644
--- a/invenio_accounts/sessions.py
+++ b/invenio_accounts/sessions.py
@@ -87,8 +87,10 @@ def add_user_session(response):
         session.regenerate()
         # Save the session first so that the sid_s gets generated.
         app.session_interface.save_session(app, session, response)
-        add_session(session)
-        current_accounts.datastore.commit()
+        # Don't add impersonation sessions
+        if "_impersonator_id" not in session:
+            add_session(session)
+            current_accounts.datastore.commit()
         return response
 
 
@@ -130,8 +132,9 @@ def delete_session(sid_s):
     # Remove entries from sessionstore
     _sessionstore.delete(sid_s)
     # Find and remove the corresponding SessionActivity entry
-    with db.session.begin_nested():
-        SessionActivity.query.filter_by(sid_s=sid_s).delete()
+    if "_impersonator_id" not in session:
+        with db.session.begin_nested():
+            SessionActivity.query.filter_by(sid_s=sid_s).delete()
     return 1