Impersonation

User Impersonation

This entry is part 2 of 2 in the series LaraEdit

Getting Ready For User Impersonation

If your Laravel application has several users and you find yourself doing a lot of blind troubleshooting, you’re going to love this simple user impersonation system!

All you need to have setup to get started is a Laravel application and an admin view that lists all of your users.

Creating The View

Update your admin view that lists your users so that it contains a link for impersonating your users:

@foreach($users as $user)
                        
<tr>
    <td>{{ $user->first_name }}</td>
    <td>{{ $user->last_name }}</td>
    <td>{{ $user->email }}</td>
    <td>
        <a href="/admin/users/impersonate/{{ $user->id }}" class="btn btn-sm btn-primary">
            Impersonate
            <i class="fa fa-fw fa-eye"></i>
        </a>
    </td>
</tr>

@endforeach

Create The Route

Now that we have a link that doesn’t work, let’s fix that by adding our route:

Route::group(['middleware' => 'admin'], function () {
    Route::get('/admin', 'AdminController@index');
    Route::get('/admin/users', 'Admin\UserController@index');
    Route::get('/admin/users/impersonate/{id}', 'Admin\UserController@impersonate');
});

Updating The Controller

Now we can start adding in the logic to start impersonating users by adding the impersonate method to our controller ( You could also go for a RESTful solution, but the concept is the same):

public function impersonate($id)
{
    if(session('impersonate') != 0) {
        Auth::loginUsingId(session('impersonate'));

        session(['impersonate' => 0]);

        return redirect('/admin/users');
    } else {
        $user = Auth::user();

        Auth::loginUsingId($id);

        session(['impersonate' => $user-id]);

        return redirect('/');
    }
}

Here we have set a session variable equal to our current user id so that we can re-authenticate as our self when we finish with the impersonated session. We could also clear the session variable and avoid checking to see if it’s equal to 0 or not. But I like to see the logic working if something’s not working right.

At this point, we can click on our link and we will be magically logged in as the user we chose to impersonate.

But how do we get out of impersonation mode?

Ending Impersonated Session

Now all we have to do is update another view:

@if(session('impersonate') && session('impersonate') != 0)
    <li> 
        <a href="/admin/users/impersonate/{{ session('impersonate') }}">Return to Profile</a>
    </li>
@endif

And just like that we have a link back to our own profile!

Conclusion

You definitely want to add some middeware to protect that route otherwise bad things will happen!

I used something like this for my admin middleware to get me started:

public function handle($request, Closure $next)
{
    if(session('impersonate'))
    {
        return $next($request);
    } 
        
    if(Auth::user()->isNot('admin')) 
    {
        return redirect('/');
    }

    return $next($request);
}

So far I’ve only made a few refactors, which we will cover in a later post.

Until then, let me know if you have any questions and/or requests!

Series Navigation<< LaraEdit – Getting Started
%d bloggers like this: