feat: implement user impersonation

Author: SlimDeluxe

composer.json

@@ -61,6 +61,7 @@
         "pxlrbt/filament-excel": "^2.4",
         "spatie/laravel-package-tools": "^1.18",
         "spatie/laravel-translatable": "^6.11",
+        "stechstudio/filament-impersonate": "^3.16",
         "tangodev-it/filament-emoji-picker": "^1.0",
         "typesense/typesense-php": "^5.0"
     },

src/Filament/Resources/UserResource.php

@@ -24,6 +24,7 @@
 use Illuminate\Database\Eloquent\SoftDeletingScope;
 use Illuminate\Support\Facades\Hash;
 use pxlrbt\FilamentExcel\Actions\Tables\ExportBulkAction;
+use STS\FilamentImpersonate\Tables\Actions\Impersonate;
 
 class UserResource extends Resource implements HasShieldPermissions
 {
@@ -173,6 +174,9 @@ public static function table(Table $table): Table
                 Tables\Actions\ActionGroup::make([
                     Tables\Actions\ViewAction::make(),
                     Tables\Actions\EditAction::make(),
+                    Impersonate::make()
+                        ->grouped()
+                        ->redirectTo(route('filament.admin.tenant')),
                     Tables\Actions\DeleteAction::make()
                         ->authorize(fn (User $record) => auth()->user()->can('delete_user') && auth()->id() !== $record->id)
                         ->requiresConfirmation(),
@@ -305,6 +309,7 @@ public static function getPermissionPrefixes(): array
             'restore_any',
             'force_delete',
             'force_delete_any',
+            'impersonate',
         ];
     }
 }

src/Filament/Resources/UserResource/Pages/ViewUser.php

@@ -5,6 +5,7 @@
 use Eclipse\Core\Filament\Resources\UserResource;
 use Filament\Actions;
 use Filament\Resources\Pages\ViewRecord;
+use STS\FilamentImpersonate\Pages\Actions\Impersonate;
 
 class ViewUser extends ViewRecord
 {
@@ -14,6 +15,9 @@ protected function getHeaderActions(): array
     {
         return [
             Actions\EditAction::make(),
+            Impersonate::make()
+                ->record($this->getRecord())
+                ->redirectTo(route('filament.admin.tenant')),
         ];
     }
 }

src/Models/User.php

@@ -3,6 +3,7 @@
 namespace Eclipse\Core\Models;
 
 use Eclipse\Core\Database\Factories\UserFactory;
+use Exception;
 use Filament\Models\Contracts\FilamentUser;
 use Filament\Models\Contracts\HasAvatar;
 use Filament\Models\Contracts\HasTenants;
@@ -119,7 +120,7 @@ protected static function booted()
 
         static::retrieved(function (self $user) {
             if ($user->trashed() && auth()->check() && request()->routeIs('login')) {
-                throw new \Exception('This account has been deactivated.');
+                throw new Exception('This account has been deactivated.');
             }
         });
     }
@@ -139,14 +140,22 @@ public function updateLoginTracking()
     /**
      * Delete the user account, preventing self-deletion.
      *
-     * @throws \Exception If the user attempts to delete their own account.
+     * @throws Exception If the user attempts to delete their own account.
      */
     public function delete(): ?bool
     {
         if ($this->id === auth()->id()) {
-            throw new \Exception('You cannot delete your own account.');
+            throw new Exception('You cannot delete your own account.');
         }
 
         return parent::delete();
     }
+
+    /**
+     * Determine if the user can impersonate other users.
+     */
+    public function canImpersonate(): bool
+    {
+        return $this->can('impersonate', User::class);
+    }
 }

src/Policies/UserPolicy.php

@@ -92,4 +92,12 @@ public function forceDeleteAny(User $user): bool
     {
         return $user->can('force_delete_any_user');
     }
+
+    /**
+     * Determine whether the user can impersonate other users.
+     */
+    public function impersonate(User $user): bool
+    {
+        return $user->can('impersonate_user');
+    }
 }

tests/Feature/UserImpersonationTest.php

@@ -0,0 +1,109 @@
+<?php
+
+use Eclipse\Core\Models\User;
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Gate;
+use STS\FilamentImpersonate\Pages\Actions\Impersonate as ImpersonatePageAction;
+use STS\FilamentImpersonate\Tables\Actions\Impersonate as ImpersonateTableAction;
+
+beforeEach(function () {
+    $this->set_up_super_admin_and_tenant();
+
+    // Create a target user to impersonate
+    $this->targetUser = User::factory()->create([
+        'first_name' => 'Target',
+        'last_name' => 'User',
+        'email' => 'target@example.com',
+    ]);
+
+    // Create a user with impersonate permission
+    $this->authorizedUser = User::factory()->create([
+        'first_name' => 'Authorized',
+        'last_name' => 'User',
+        'email' => 'authorized@example.com',
+    ]);
+    $this->authorizedUser->givePermissionTo('impersonate_user');
+
+    // Create a user without impersonate permission
+    $this->unauthorizedUser = User::factory()->create([
+        'first_name' => 'Unauthorized',
+        'last_name' => 'User',
+        'email' => 'unauthorized@example.com',
+    ]);
+});
+
+test('non-authorized user cannot impersonate other users', function () {
+    // Login as unauthorized user
+    Auth::login($this->unauthorizedUser);
+
+    // Assert user doesn't have impersonate permission
+    $this->assertFalse($this->unauthorizedUser->hasPermissionTo('impersonate_user'));
+    $this->assertFalse($this->unauthorizedUser->can('impersonate', User::class));
+    $this->assertFalse($this->unauthorizedUser->canImpersonate());
+
+    // Test authorization gate
+    $this->expectException(AuthorizationException::class);
+    Gate::authorize('impersonate', User::class);
+});
+
+test('non-authorized user cannot see and trigger the impersonate table and page action', function () {
+    // Login as unauthorized user
+    Auth::login($this->unauthorizedUser);
+
+    // Assert user doesn't have impersonate permission
+    $this->assertFalse($this->unauthorizedUser->hasPermissionTo('impersonate_user'));
+
+    // Create an instance of the Impersonate action
+    $action = ImpersonateTableAction::make('impersonate')
+        ->record($this->targetUser);
+
+    // Assert the action is not authorized
+    $this->assertFalse($action->isVisible());
+    $this->assertFalse($action->isEnabled());
+
+    // Create an instance of the Impersonate page action
+    $action = ImpersonatePageAction::make('impersonate')
+        ->record($this->targetUser);
+
+    // Assert the action is not authorized
+    $this->assertFalse($action->isVisible());
+    $this->assertFalse($action->isEnabled());
+});
+
+test('authorized user can impersonate other users', function () {
+    // Login as authorized user
+    Auth::login($this->authorizedUser);
+
+    // Assert user has impersonate permission
+    $this->assertTrue($this->authorizedUser->hasPermissionTo('impersonate_user'));
+    $this->assertTrue($this->authorizedUser->can('impersonate', User::class));
+    $this->assertTrue($this->authorizedUser->canImpersonate());
+
+    // Test authorization gate
+    $this->assertTrue(Gate::allows('impersonate', User::class));
+});
+
+test('authorized user can see and trigger the impersonate table and page action', function () {
+    // Login as authorized user
+    Auth::login($this->authorizedUser);
+
+    // Assert user has impersonate permission
+    $this->assertTrue($this->authorizedUser->hasPermissionTo('impersonate_user'));
+
+    // Create an instance of the Impersonate action
+    $action = ImpersonateTableAction::make('impersonate')
+        ->record($this->targetUser);
+
+    // Assert the action is authorized
+    $this->assertTrue($action->isVisible());
+    $this->assertTrue($action->isEnabled());
+
+    // Create an instance of the Impersonate page action
+    $action = ImpersonatePageAction::make('impersonate')
+        ->record($this->targetUser);
+
+    // Assert the action is authorized
+    $this->assertTrue($action->isVisible());
+    $this->assertTrue($action->isEnabled());
+});