Impersonation.
Operators can impersonate businesses to manage bookings, test settings, and troubleshoot issues as the business user sees them.
What Is Impersonation?
Impersonation lets an operator view and manage a business's admin panel as if they were the business user. The operator's real identity is preserved - all actions are still logged under the operator's account.
This is useful for:
- Testing settings, branding, and availability after setup
- Troubleshooting issues reported by a business user
- Making changes on behalf of a business user without sharing credentials
Starting Impersonation
From the business list, click the eye icon in the action column for the business you want to view. The operator is redirected to the business's dashboard with the business user view active.
You can also start impersonation directly from All Bookings or the operator dashboard: clicking a customer name in the booking list enters the business's admin context and lands on that customer's record. This avoids needing to navigate to the business first.
While impersonating, a compact amber pill appears in the top bar next to the profile dropdown. It displays the impersonated business name and a × close button.
During Impersonation
The operator sees the same sidebar, pages, and data the business user would see:
- Business dashboard with today's bookings
- Calendar, bookings, and customer views scoped to the business
- Settings tabs (if the impersonated role is "owner")
The operator can create bookings, change settings, and perform any action available to the business user role.
Exiting Impersonation
Click the × button on the impersonation pill in the top bar. The operator returns to the business list with their original operator session restored. Clicking Sign out while impersonating also exits impersonation and restores the operator session - it does not log the operator out.
Security
- Only operators can impersonate. Business users cannot impersonate other users
- The operator's real identity is preserved in the session throughout impersonation
- All actions performed during impersonation are logged in the audit trail under the operator's account, not the impersonated business
- No business user account is required - the operator does not assume an existing user's session
- CSRF protection applies to all actions during impersonation
- Redirect targets are validated against the business's own URL prefix. Traversal, encoded characters, and cross-business redirects are rejected
Ready to build?
One-time purchase. Self-hosted. Own every file forever.