DEV: by default disable anon impersonation in dev environments

The impersonate any user by anonymous feature in dev should require a
deliberate opt-in. This way developers are better aware of the security
implications of this development only feature.

app/controllers/session_controller.rb

@@ -103,7 +103,21 @@ class SessionController < ApplicationController
     skip_before_action :check_xhr, only: [:become]
 
     def become
+
       raise Discourse::InvalidAccess if Rails.env.production?
+
+      if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1"
+        render(content_type: 'text/plain', inline: <<~TEXT)
+          To enable impersonating any user without typing passwords set the following ENV var
+
+          export DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE=1
+
+          You can do that in your bashrc of bash profile file or the script you use to launch the web server
+        TEXT
+
+        return
+      end
+
       user = User.find_by_username(params[:session_id])
       raise "User #{params[:session_id]} not found" if user.blank?