From 9730caef7276a2b20c8b482b9f9e1bb9b47f1a35 Mon Sep 17 00:00:00 2001
From: Matt Aitken <matt@mattaitken.com>
Date: Fri, 9 Jan 2026 14:46:11 +0000
Subject: [PATCH] Allow query access when impersonating

---
 apps/webapp/app/components/navigation/SideMenu.tsx         | 2 +-
 .../route.tsx                                              | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/apps/webapp/app/components/navigation/SideMenu.tsx b/apps/webapp/app/components/navigation/SideMenu.tsx
index 48cbe2fda4..93e6b13420 100644
--- a/apps/webapp/app/components/navigation/SideMenu.tsx
+++ b/apps/webapp/app/components/navigation/SideMenu.tsx
@@ -274,7 +274,7 @@ export function SideMenu({
               to={v3TestPath(organization, project, environment)}
               data-action="test"
             />
-            {(user.admin || featureFlags.hasQueryAccess) && (
+            {(user.admin || user.isImpersonating || featureFlags.hasQueryAccess) && (
               <SideMenuItem
                 name="Query"
                 icon={TableCellsIcon}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx
index 75456ac88e..6308287d64 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx
@@ -77,9 +77,10 @@ import { querySchemas } from "~/v3/querySchemas";
 async function hasQueryAccess(
   userId: string,
   isAdmin: boolean,
+  isImpersonating: boolean,
   organizationSlug: string
 ): Promise<boolean> {
-  if (isAdmin) {
+  if (isAdmin || isImpersonating) {
     return true;
   }
 
@@ -117,7 +118,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const user = await requireUser(request);
   const { projectParam, organizationSlug, envParam } = EnvironmentParamSchema.parse(params);
 
-  const canAccess = await hasQueryAccess(user.id, user.admin, organizationSlug);
+  const canAccess = await hasQueryAccess(user.id, user.admin, user.isImpersonating, organizationSlug);
   if (!canAccess) {
     throw redirect("/");
   }
@@ -158,7 +159,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   const user = await requireUser(request);
   const { projectParam, organizationSlug, envParam } = EnvironmentParamSchema.parse(params);
 
-  const canAccess = await hasQueryAccess(user.id, user.admin, organizationSlug);
+  const canAccess = await hasQueryAccess(user.id, user.admin, user.isImpersonating, organizationSlug);
   if (!canAccess) {
     return typedjson(
       { error: "Unauthorized", rows: null, columns: null, stats: null },