Add ability to impersonate users

This is mainly for debugging purposes. An administrator can now click the "impersonate user" button on a user page to switch to being logged in as that user. Last logged in at will not be updated if this is done. The ability is only visible and usable to admin users, with an additional safeguard to check for the :impersonate ability, which no user should have.