OK, thanks. I'm getting a "Not Authorized" when I GET /impersonate. Removing "or not self.environment.request.post_vars" seems to fix it.
if not self.is_logged_in() or not self.environment.request.post_vars:
raise HTTP(401, "Not Authorized")
