evo-mark / laravel-impersonate
Laravel Impersonate is a plugin that allows to you to authenticate as your users.
Installs: 7
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 225
pkg:composer/evo-mark/laravel-impersonate
Requires
- php: ^8.2
- laravel/framework: ^11.0 | ^12.0
Requires (Dev)
- mockery/mockery: ^1.3.3
- orchestra/testbench: ^8.0 | ^9.0 | ^10.0
- phpunit/phpunit: ^10.0 | ^11.0 | ^12.0
This package is auto-updated.
Last update: 2025-10-20 09:05:27 UTC
README
Laravel Impersonate
Laravel Impersonate makes it easy to authenticate as your users. Add a simple trait to your user model and impersonate as one of your users in one click.
- Requirements
- Installation
- Simple usage
- Advanced Usage
- Configuration
- Blade
- Tests
- Contributors
- Why Not Just Use loginAsId()?
Requirements
- Laravel 10.x to 11.x
- PHP >= 8.2
Laravel support
| Version | Release | 
|---|---|
| 10.x to 11.x | 1.8 | 
Migrating to evo-mark/impersonate
- Remove the original package with composer remove lab404/laravel-impersonate
- Install the forked version using the instructions below
- Rename any uses of the package's classes in your app from Lab404\ImpersonatetoEvoMark\Impersonate
Installation
- Require it with Composer:
composer require evo-mark/laravel-impersonate
- Add the service provider at the end of your config/app.php:
'providers' => [ // ... EvoMark\Impersonate\ImpersonateServiceProvider::class, ],
- Add the trait EvoMark\Impersonate\Models\Impersonateto your User model.
Simple usage
Impersonate a user:
Auth::user()->impersonate($other_user); // You're now logged as the $other_user
Leave impersonation:
Auth::user()->leaveImpersonation(); // You're now logged as your original user.
Using the built-in controller
In your routes file, under web middleware, you must call the impersonate route macro.
Route::impersonate();
Alternatively, you can execute this macro with your RouteServiceProvider.
namespace App\Providers; class RouteServiceProvider extends ServiceProvider { public function map() { Route::middleware('web')->group(function (Router $router) { $router->impersonate(); }); } }
// Where $id is the ID of the user you want impersonate route('impersonate', $id) // Or in case of multi guards, you should also add `guardName` (defaults to `web`) route('impersonate', ['id' => $id, 'guardName' => 'admin']) // Generate an URL to leave current impersonation route('impersonate.leave')
Advanced Usage
Defining impersonation authorization
By default all users can impersonate an user.
You need to add the method canImpersonate() to your user model:
/** * @return bool */ public function canImpersonate() { // For example return $this->is_admin == 1; }
By default all users can be impersonated.
You need to add the method canBeImpersonated() to your user model to extend this behavior:
/** * @return bool */ public function canBeImpersonated() { // For example return $this->can_be_impersonated == 1; }
Using your own strategy
- Getting the manager:
// With the app helper app('impersonate') // Dependency Injection public function impersonate(ImpersonateManager $manager, $user_id) { /* ... */ }
- Working with the manager:
$manager = app('impersonate'); // Find a user by their ID $manager->findUserById($id); // TRUE if your are impersonating an user. $manager->isImpersonating(); // Impersonate an user. Pass the original user and the user you want to impersonate $manager->take($from, $to); // Leave current impersonation $manager->leave(); // Get the impersonator ID $manager->getImpersonatorId();
Middleware
Protect From Impersonation
You can use the middleware impersonate.protect to protect your routes against user impersonation.
This middleware can be useful when you want to protect specific pages like users subscriptions, users credit cards, ...
Router::get('/my-credit-card', function() { echo "Can't be accessed by an impersonator"; })->middleware('impersonate.protect');
Events
There are two events available that can be used to improve your workflow:
- TakeImpersonationis fired when an impersonation is taken.
- LeaveImpersonationis fired when an impersonation is leaved.
Each events returns two properties $event->impersonator and $event->impersonated containing User model instance.
Configuration
The package comes with a configuration file.
Publish it with the following command:
php artisan vendor:publish --tag=impersonate
Available options:
// The session key used to store the original user id. 'session_key' => 'impersonated_by', // Where to redirect after taking an impersonation. // Only used in the built-in controller. // You can use: an URI, the keyword back (to redirect back) or a route name 'take_redirect_to' => '/', // Where to redirect after leaving an impersonation. // Only used in the built-in controller. // You can use: an URI, the keyword back (to redirect back) or a route name 'leave_redirect_to' => '/'
Blade
There are three Blade directives available.
When the user can impersonate
@canImpersonate($guard = null) <a href="{{ route('impersonate', $user->id) }}">Impersonate this user</a> @endCanImpersonate
When the user can be impersonated
This comes in handy when you have a user list and want to show an "Impersonate" button next to all the users.
But you don't want that button next to the current authenticated user neither to that users which should not be able to impersonated according your implementation of canBeImpersonated() .
@canBeImpersonated($user, $guard = null) <a href="{{ route('impersonate', $user->id) }}">Impersonate this user</a> @endCanBeImpersonated
When the user is impersonated
@impersonating($guard = null) <a href="{{ route('impersonate.leave') }}">Leave impersonation</a> @endImpersonating
Tests
vendor/bin/phpunit
Contributors
- This package was forked from Lab404 and is maintained by evoMark.
Rationale
Why not just use loginAsId()?
This package adds broader functionality, including Blade directives to allow you to override analytics and other tracking events when impersonating, fire events based on impersonation status, and more. Brief discussion at issues/5
Why did you fork this package
The original package seems to be in maintenance now, only receiving minor updates without addressing bugs or features. We wanted a few of those features.
Licence
MIT