Skip to content

Comments

#863 Impersonation#866

Open
iccowan wants to merge 14 commits intomainfrom
863-impersonation-implementation
Open

#863 Impersonation#866
iccowan wants to merge 14 commits intomainfrom
863-impersonation-implementation

Conversation

@iccowan
Copy link
Member

@iccowan iccowan commented Feb 15, 2026
edited
Loading

This PR will:

  • Implement impersonation
    • Allow senior staff and web staff to impersonate any active user
  • Put impersonation behind a feature toggle
  • Close Impersonation #863

@iccowan iccowan requested a review from a team as a code owner February 15, 2026 15:36
@iccowan iccowan mentioned this pull request Feb 15, 2026
Closed
5 tasks
@iccowan iccowan force-pushed the 863-impersonation-implementation branch from 0575ac9 to 302d9fc Compare February 15, 2026 16:01
@iccowan iccowan force-pushed the 863-impersonation-implementation branch from 302d9fc to 392c9b0 Compare February 23, 2026 03:41
kjporter
kjporter reviewed Feb 23, 2026
View reviewed changes
kjporter
kjporter reviewed Feb 23, 2026
View reviewed changes
kjporter
kjporter reviewed Feb 23, 2026
View reviewed changes
kjporter
kjporter reviewed Feb 23, 2026
View reviewed changes
routes/web.php
Route::get('/', 'AdminDash@backgroundMonitor');
});

Route::prefix('impersonation')->middleware('toggle:impersonation')->group(function () {
Copy link
Contributor

@kjporter kjporter Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not guard the entire impersonation route? Is there a reason that start is guarded but stop is not? Trying to think if there is any way that the stop route could expose an attack vector...

Copy link
Member Author

@iccowan iccowan Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stop can't be guarded because the middleware has to run on the impersonated user. If we don't allow stop to be hit by all users, we would never be able to end impersonation on non-privileged users.

@kjporter
Copy link
Contributor

kjporter commented Feb 23, 2026
edited
Loading

QA fail - looks like you are missing a migration to add the impersonated_by_id column to the audits table.
image

@iccowan iccowan force-pushed the 863-impersonation-implementation branch from 392c9b0 to ec3d260 Compare February 23, 2026 14:22
@iccowan
Copy link
Member Author

iccowan commented Feb 23, 2026

QA fail - looks like you are missing a migration to add the impersonated_by_id column to the audits table. image

Corrected and merged into d9bc82a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kjporter kjporter kjporter left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Impersonation

2 participants

@iccowan @kjporter