From 0e17318cba0096b99a7d4512b17a7f546a6e8a67 Mon Sep 17 00:00:00 2001
From: Jordan Ramos <jordan.ramos@spectrum.com>
Date: Wed, 24 Jun 2026 13:01:15 -0600
Subject: [PATCH] Hide impersonation events from non-Admin activity feed

Non-Admin users should not see impersonate_start/impersonate_stop
entries in the recent activity feed. The feed now filters these
actions for non-Admin groups alongside the existing login/logout
exclusions.
---
 backend/server.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/backend/server.js b/backend/server.js
index 6be7b7d..1bf59ff 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -161,13 +161,18 @@ app.use('/api/audit-logs', createAuditLogRouter());
 app.get('/api/recent-activity', requireAuth(), async (req, res) => {
     try {
         const limit = Math.min(15, Math.max(1, parseInt(req.query.limit) || 10));
+        // Hide impersonation events from non-Admin users
+        const excludedActions = ['login', 'logout', 'login_failed'];
+        if (req.user.group !== 'Admin') {
+            excludedActions.push('impersonate_start', 'impersonate_stop');
+        }
         const { rows } = await pool.query(
             `SELECT username, action, entity_type, entity_id, details, created_at
              FROM audit_logs
-             WHERE action NOT IN ('login', 'logout', 'login_failed')
+             WHERE action NOT IN (${excludedActions.map((_, i) => `$${i + 1}`).join(', ')})
              ORDER BY created_at DESC
-             LIMIT $1`,
-            [limit]
+             LIMIT $${excludedActions.length + 1}`,
+            [...excludedActions, limit]
         );
         res.json({ activities: rows });
     } catch (err) {