Allow submit_as flag to be used from post-review for different users IF the password is given (or a valid cookie is found)

We have some areas where the OS user is shared between different real users. If you do not have super user or "impersonation" rights you can not change your user id with post-review unless you remove the cookie jar :-(

This change only checks if you need impersonation rights if you are trying to be a different user compared with the connected user. post-review will make use of the last cookie (irrespective of who that is) and post-review has no idea who it has connected as when a cookie is used.

post-review as different low privledged users.