brain-tec · bt-admin · May 20, 2026 · Nov 20, 2025 · May 19, 2026 · May 19, 2026
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ addon | version | maintainers | summary
 [base_user_show_email](base_user_show_email/) | 16.0.1.0.0 |  | Untangle user login and email
 [cross_connect_client](cross_connect_client/) | 16.0.1.1.0 | <a href='https://github.com/paradoxxxzero'><img src='https://github.com/paradoxxxzero.png' width='32' height='32' style='border-radius:50%;' alt='paradoxxxzero'/></a> | Cross Connect Client allows to connect to a Cross Connect Server enabled odoo instance.
 [cross_connect_server](cross_connect_server/) | 16.0.1.1.0 | <a href='https://github.com/paradoxxxzero'><img src='https://github.com/paradoxxxzero.png' width='32' height='32' style='border-radius:50%;' alt='paradoxxxzero'/></a> | Cross Connect Server allows Cross Connect Client to connect to it.
-[impersonate_login](impersonate_login/) | 16.0.1.0.0 | <a href='https://github.com/Kev-Roche'><img src='https://github.com/Kev-Roche.png' width='32' height='32' style='border-radius:50%;' alt='Kev-Roche'/></a> | tools
+[impersonate_login](impersonate_login/) | 16.0.1.0.1 | <a href='https://github.com/Kev-Roche'><img src='https://github.com/Kev-Roche.png' width='32' height='32' style='border-radius:50%;' alt='Kev-Roche'/></a> | tools
 [password_security](password_security/) | 16.0.1.0.4 |  | Allow admin to set password security requirements.
 [user_log_view](user_log_view/) | 16.0.1.0.0 | <a href='https://github.com/trojikman'><img src='https://github.com/trojikman.png' width='32' height='32' style='border-radius:50%;' alt='trojikman'/></a> | Allow to see user's actions log
 [users_ldap_groups](users_ldap_groups/) | 16.0.1.0.1 |  | Adds user accounts to groups based on rules defined by the administrator.

diff --git a/impersonate_login/README.rst b/impersonate_login/README.rst
@@ -1,3 +1,7 @@
+.. image:: https://odoo-community.org/readme-banner-image
+   :target: https://odoo-community.org/get-involved?utm_source=readme
+   :alt: Odoo Community Association
+
 =================
 Impersonate Login
 =================
@@ -7,13 +11,13 @@ Impersonate Login
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:4875867f60d80f01c7bb74137a9f9bbdc0dceffde3bd47d96af9d897cd8de1f6
+   !! source digest: sha256:78fb4aa559c1a3d38ba24a93003d382fe68a762624ce5aab4c211fbcb65c2f87
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
@@ -35,15 +39,16 @@ clicking on the button "Back to Original User".
 To ensure that any abuse of this feature will not go unnoticed, the
 following measures are in place:
 
--  In the chatter, it is displayed who is the user that is logged as
-   another user.
--  Mails and messages are sent from the original user.
--  Impersonated logins are logged and can be consulted through the
-   Settings -> Technical menu.
--  
-
-There is an alternative module to allow logins as another user
-(auth_admin_passkey), but it does not support these security mechanisms.
+- In the chatter, it is displayed who is the user that is logged as
+  another user.
+- Mails and messages are sent from the original user.
+- Impersonated logins are logged and can be consulted through the
+  Settings -> Technical menu.
+- You can optionally forbid impersonation of users with "Administration:
+  Settings" rights by enabling the related option in the settings. There
+  is an alternative module to allow logins as another user
+  (auth_admin_passkey), but it does not support these security
+  mechanisms.
 
 **Table of contents**
 
@@ -55,6 +60,10 @@ Configuration
 
 The impersonating user must belong to group "Impersonate Users".
 
+If you want to prevent impersonation of users with the *Administration:
+Settings* rights, enable the *Restrict Impersonation of "Administration:
+Settings" Users* option in the settings.
+
 Usage
 =====
 
@@ -85,10 +94,10 @@ Authors
 Contributors
 ------------
 
--  Kévin Roche <kevin.roche@akretion.com>
--  `360ERP <https://www.360erp.com>`__:
+- Kévin Roche <kevin.roche@akretion.com>
+- `360ERP <https://www.360erp.com>`__:
 
-   -  Andrea Stirpe
+  - Andrea Stirpe
 
 Maintainers
 -----------

diff --git a/impersonate_login/__manifest__.py b/impersonate_login/__manifest__.py
@@ -5,7 +5,7 @@
 {
     "name": "Impersonate Login",
     "summary": "tools",
-    "version": "16.0.1.0.0",
+    "version": "16.0.1.0.1",
     "category": "Tools",
     "website": "https://github.com/OCA/server-auth",
     "author": "Akretion, Odoo Community Association (OCA)",
@@ -20,6 +20,7 @@
     "data": [
         "security/group.xml",
         "security/ir.model.access.csv",
+        "views/res_config_settings.xml",
         "views/res_users.xml",
         "views/impersonate_log.xml",
     ],

diff --git a/impersonate_login/i18n/impersonate_login.pot b/impersonate_login/i18n/impersonate_login.pot
@@ -25,6 +25,11 @@ msgstr ""
 msgid "Base"
 msgstr ""
 
+#. module: impersonate_login
+#: model:ir.model,name:impersonate_login.model_res_config_settings
+msgid "Config Settings"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_mail__body
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__body
@@ -66,6 +71,13 @@ msgstr ""
 msgid "ID"
 msgstr ""
 
+#. module: impersonate_login
+#: model:ir.model.fields,help:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+msgid ""
+"If enabled, users with the 'Administration: Settings' access right cannot be"
+" impersonated."
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.actions.act_window,name:impersonate_login.impersonate_log_action
 msgid "Impersonate Login Logs"
@@ -92,6 +104,11 @@ msgstr ""
 msgid "Impersonated Logs"
 msgstr ""
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Impersonation Login"
+msgstr ""
+
 #. module: impersonate_login
 #. odoo-python
 #: code:addons/impersonate_login/models/res_users.py:0
@@ -132,6 +149,19 @@ msgstr ""
 msgid "Message"
 msgstr ""
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid ""
+"Prevents impersonating users that have the\n"
+"                                    \"Administration: Settings\" access rights."
+msgstr ""
+
+#. module: impersonate_login
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation of 'Administration: Settings' Users"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_impersonate_log__date_start
 msgid "Start Date"
@@ -157,3 +187,11 @@ msgstr ""
 #, python-format
 msgid "You are already Logged as another user."
 msgstr ""
+
+#. module: impersonate_login
+#. odoo-python
+#: code:addons/impersonate_login/models/res_users.py:0
+#, python-format
+msgid ""
+"You cannot impersonate users with 'Administration: Settings' access rights."
+msgstr ""
diff --git a/impersonate_login/i18n/it.po b/impersonate_login/i18n/it.po
@@ -28,6 +28,11 @@ msgstr "Riporta a utente originale"
 msgid "Base"
 msgstr "Base"
 
+#. module: impersonate_login
+#: model:ir.model,name:impersonate_login.model_res_config_settings
+msgid "Config Settings"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_mail__body
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__body
@@ -69,6 +74,13 @@ msgstr "Instradamento HTTP"
 msgid "ID"
 msgstr "ID"
 
+#. module: impersonate_login
+#: model:ir.model.fields,help:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+msgid ""
+"If enabled, users with the 'Administration: Settings' access right cannot be "
+"impersonated."
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.actions.act_window,name:impersonate_login.impersonate_log_action
 msgid "Impersonate Login Logs"
@@ -95,6 +107,11 @@ msgstr "Imita autore"
 msgid "Impersonated Logs"
 msgstr "Imita registri"
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Impersonation Login"
+msgstr ""
+
 #. module: impersonate_login
 #. odoo-python
 #: code:addons/impersonate_login/models/res_users.py:0
@@ -125,7 +142,6 @@ msgstr "Registrato come"
 #. module: impersonate_login
 #. odoo-python
 #: code:addons/impersonate_login/models/mail_message.py:0
-#: code:addons/impersonate_login/models/mail_message.py:0
 #, python-format
 msgid "Logged in as {}"
 msgstr "Registrato come {}"
@@ -135,6 +151,20 @@ msgstr "Registrato come {}"
 msgid "Message"
 msgstr "Messaggio"
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid ""
+"Prevents impersonating users that have the\n"
+"                                    \"Administration: Settings\" access "
+"rights."
+msgstr ""
+
+#. module: impersonate_login
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation of 'Administration: Settings' Users"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_impersonate_log__date_start
 msgid "Start Date"
@@ -160,3 +190,11 @@ msgstr "Utente"
 #, python-format
 msgid "You are already Logged as another user."
 msgstr "Si è già registrati come altro utente."
+
+#. module: impersonate_login
+#. odoo-python
+#: code:addons/impersonate_login/models/res_users.py:0
+#, python-format
+msgid ""
+"You cannot impersonate users with 'Administration: Settings' access rights."
+msgstr ""
diff --git a/impersonate_login/models/__init__.py b/impersonate_login/models/__init__.py
@@ -4,3 +4,4 @@
 from . import mail_message
 from . import impersonate_log
 from . import model
+from . import res_config_settings
diff --git a/impersonate_login/models/res_config_settings.py b/impersonate_login/models/res_config_settings.py
@@ -0,0 +1,15 @@
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    restrict_impersonate_admin_settings = fields.Boolean(
+        string="Restrict Impersonation of 'Administration: Settings' Users",
+        config_parameter="impersonate_login.restrict_impersonate_admin_settings",
+        help=(
+            "If enabled, users with the 'Administration: Settings' access right"
+            " cannot be impersonated."
+        ),
+        default=False,
+    )
diff --git a/impersonate_login/models/res_users.py b/impersonate_login/models/res_users.py
@@ -24,6 +24,20 @@ def _is_impersonate_user(self):
 
     def impersonate_login(self):
         if request:
+            config_restrict = (
+                self.env["ir.config_parameter"]
+                .sudo()
+                .get_param("impersonate_login.restrict_impersonate_admin_settings")
+            )
+            if config_restrict:
+                admin_settings_group = self.env.ref("base.group_system")
+                if admin_settings_group in self.groups_id:
+                    raise UserError(
+                        _(
+                            "You cannot impersonate users with"
+                            " 'Administration: Settings' access rights."
+                        )
+                    )
             if request.session.impersonate_from_uid:
                 if self.id == request.session.impersonate_from_uid:
                     return self.back_to_origin_login()

diff --git a/impersonate_login/readme/CONFIGURE.md b/impersonate_login/readme/CONFIGURE.md
@@ -1 +1,5 @@
 The impersonating user must belong to group "Impersonate Users".
+
+If you want to prevent impersonation of users with the *Administration: Settings*
+rights, enable the *Restrict Impersonation of "Administration: Settings" Users*
+option in the settings.
diff --git a/impersonate_login/readme/DESCRIPTION.md b/impersonate_login/readme/DESCRIPTION.md
@@ -6,6 +6,7 @@ To ensure that any abuse of this feature will not go unnoticed, the following me
 * In the chatter, it is displayed who is the user that is logged as another user.
 * Mails and messages are sent from the original user.
 * Impersonated logins are logged and can be consulted through the Settings -> Technical menu.
-* 
+* You can optionally forbid impersonation of users with "Administration: Settings"
+  rights by enabling the related option in the settings.
 There is an alternative module to allow logins as another user (auth_admin_passkey),
 but it does not support these security mechanisms.