diff --git a/hypha/apply/users/tests/test_views.py b/hypha/apply/users/tests/test_views.py
index 90e6bbe91b278bdd243486b51fc53243faa317a5..190ee006dfb10fdc7be6965b7df6504d0618d246 100644
--- a/hypha/apply/users/tests/test_views.py
+++ b/hypha/apply/users/tests/test_views.py
@@ -74,9 +74,9 @@ class TestBecome(TestCase):
         response = self.client.post(url, {'user_pk': target.pk}, follow=True, secure=True)
         return response
 
-    def test_staff_can_become_user(self):
+    def test_staff_cannot_become_user(self):
         response = self.become_request(self.staff, self.user)
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 403)
 
     def test_staff_cannot_become_superuser(self):
         response = self.become_request(self.staff, self.superuser)
diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 53273023e6ec5e9573f0e2f3d35bf975cd517a9b..94bc9bb2ff835b4cdd36f589eafe7aeab3d1983b 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -1,4 +1,3 @@
-from django.conf import settings
 from django.contrib.auth import views as auth_views
 from django.urls import include, path, reverse_lazy
 
@@ -38,6 +37,7 @@ public_urlpatterns = [
 urlpatterns = [
     path('account/', include([
         path('', AccountView.as_view(), name='account'),
+        path('become/', become, name='become'),
         path('password/', include([
             path('', EmailChangePasswordView.as_view(), name='email_change_confirm_password'),
             path(
@@ -94,8 +94,3 @@ urlpatterns = [
         path('oauth', oauth, name='oauth'),
     ])),
 ]
-
-if settings.HIJACK_ENABLE:
-    urlpatterns += [
-        path('account/become/', become, name='become'),
-    ]
diff --git a/hypha/apply/users/views.py b/hypha/apply/users/views.py
index 7a520c64336ae74c2672dd8da1577b15964a9d97..d8e85fa0453c0dec1af72c4ea18c8043ef231c47 100644
--- a/hypha/apply/users/views.py
+++ b/hypha/apply/users/views.py
@@ -159,7 +159,10 @@ class EmailChangeDoneView(TemplateView):
 
 @login_required()
 def become(request):
-    if not request.user.is_apply_staff:
+    if not settings.HIJACK_ENABLE:
+        raise PermissionDenied()
+
+    if not request.user.is_superuser:
         raise PermissionDenied()
 
     id = request.POST.get('user_pk')