1 files changed, 10 insertions, 3 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 898ca470a30..8db2678b368 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -44,11 +44,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -383,6 +386,10 @@ module API
       links.join(', ')
     end
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end