feat: add user impersonation service

app/Policies/ImpersonationPolicy.php

@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies;
+
+use App\enum\UserLevel;
+use App\Models\User;
+use App\Services\ImpersonationService;
+use Illuminate\Auth\Access\Response;
+
+final class ImpersonationPolicy
+{
+    public function __construct(
+        private readonly ImpersonationService $impersonationService
+    ) {}
+
+    public function start(User $admin, User $target): Response
+    {
+        // Only SUPERADMIN can impersonate
+        if ($admin->user_level !== UserLevel::SUPERADMIN) {
+            return Response::deny('Only SUPERADMIN users can impersonate other users.');
+        }
+
+        // Cannot impersonate other SUPERADMIN users
+        if ($target->user_level === UserLevel::SUPERADMIN) {
+            return Response::deny('Cannot impersonate SUPERADMIN users.');
+        }
+
+        // Cannot impersonate self
+        if ($admin->id === $target->id) {
+            return Response::deny('Cannot impersonate yourself.');
+        }
+
+        // Can only impersonate NORMALUSER
+        if ($target->user_level !== UserLevel::NORMALUSER) {
+            return Response::deny('Can only impersonate NORMALUSER accounts.');
+        }
+
+        // Check if admin is already impersonating someone
+        if ($this->impersonationService->isImpersonating()) {
+            return Response::deny('You are already impersonating another user. Please stop the current impersonation first.');
+        }
+
+        // Rate limiting: Check if admin has too many recent impersonation attempts
+        $recentAttempts = $admin->impersonationLogs()
+            ->where('start_time', '>', now()->subHours(1))
+            ->count();
+
+        if ($recentAttempts >= 10) {
+            return Response::deny('Too many impersonation attempts. Please try again later.');
+        }
+
+        return Response::allow();
+    }
+
+    public function stop(User $user): Response
+    {
+        // Only users who are currently impersonating can stop impersonation
+        if (! $this->impersonationService->isImpersonating()) {
+            return Response::deny('No active impersonation session found.');
+        }
+
+        // The original admin user must be the one stopping the impersonation
+        $impersonator = $this->impersonationService->getCurrentImpersonator();
+        if (! $impersonator || $impersonator->id !== $user->id) {
+            return Response::deny('You are not authorized to stop this impersonation session.');
+        }
+
+        return Response::allow();
+    }
+
+    public function viewAny(User $user): Response
+    {
+        // Only SUPERADMIN can view impersonation logs
+        if ($user->user_level !== UserLevel::SUPERADMIN) {
+            return Response::deny('Only SUPERADMIN users can view impersonation logs.');
+        }
+
+        return Response::allow();
+    }
+
+    public function view(User $user, $impersonationLog): Response
+    {
+        // Only SUPERADMIN can view specific impersonation logs
+        if ($user->user_level !== UserLevel::SUPERADMIN) {
+            return Response::deny('Only SUPERADMIN users can view impersonation logs.');
+        }
+
+        // Users can only view logs where they are the admin
+        if ($impersonationLog->admin_id !== $user->id) {
+            return Response::deny('You can only view your own impersonation logs.');
+        }
+
+        return Response::allow();
+    }
+}