Allow custom impersonation permission

[fopina]

Instead of allowing only superuser to impersonate, create a custom permission (can_impersonate) and use a configurable function to check permissions for impersonation.

Function should receive impersonator and impersonee and return True if allowed to impersonate.

Default implementation is the current behavior (if superuser, return True, regardless of who is the target) but apps can override the function in settings.py with one of their own such as:

def can_impersonate(impersonator, impersonee):
    if impersonator.is_superuser : return True
    if impersonator has group `SupportEngineer` and impersonee has group `Developer` : return True
    return False

UPDATE: following up on #1, add this new permission to https://github.com/surface-security/django-impersonate/blob/main/impersonate/admin.py#L7. It's not required for security but needed for UX (hide action from those that cannot use it)

[gsilvapt]

Would it make sense to somehow the groups be configurable? We don't have predefined groups and those should change from company to company. This feature seems powerful, just not sure how to make it dynamic enough to handle different setups.

[fopina]

Maybe I misexplained, I meant that package/default implementation is as-is, so only check if superuser, otherwise deny impersonation.

But allowing this can_impersonate to be customized (method coming from settings.py) to be anything that a project requires.
The snippet shown was an example of what a project could use this method for. They can use specific groups that make sense to the project or make it dynamic, up to them