user_level !== UserLevel::SUPERADMIN) { return Response::deny('Only SUPERADMIN users can impersonate other users.'); } // Cannot impersonate other SUPERADMIN users if ($target->user_level === UserLevel::SUPERADMIN) { return Response::deny('Cannot impersonate SUPERADMIN users.'); } // Cannot impersonate self if ($admin->id === $target->id) { return Response::deny('Cannot impersonate yourself.'); } // Can only impersonate NORMALUSER if ($target->user_level !== UserLevel::NORMALUSER) { return Response::deny('Can only impersonate NORMALUSER accounts.'); } // Check if admin is already impersonating someone if ($this->impersonationService->isImpersonating()) { return Response::deny('You are already impersonating another user. Please stop the current impersonation first.'); } // Rate limiting: Check if admin has too many recent impersonation attempts $recentAttempts = $admin->impersonationLogs() ->where('start_time', '>', now()->subHours(1)) ->count(); if ($recentAttempts >= 10) { return Response::deny('Too many impersonation attempts. Please try again later.'); } return Response::allow(); } public function stop(User $user): Response { // Only users who are currently impersonating can stop impersonation if (! $this->impersonationService->isImpersonating()) { return Response::deny('No active impersonation session found.'); } // The original admin user must be the one stopping the impersonation $impersonator = $this->impersonationService->getCurrentImpersonator(); if (! $impersonator || $impersonator->id !== $user->id) { return Response::deny('You are not authorized to stop this impersonation session.'); } return Response::allow(); } public function viewAny(User $user): Response { // Only SUPERADMIN can view impersonation logs if ($user->user_level !== UserLevel::SUPERADMIN) { return Response::deny('Only SUPERADMIN users can view impersonation logs.'); } return Response::allow(); } public function view(User $user, $impersonationLog): Response { // Only SUPERADMIN can view specific impersonation logs if ($user->user_level !== UserLevel::SUPERADMIN) { return Response::deny('Only SUPERADMIN users can view impersonation logs.'); } // Users can only view logs where they are the admin if ($impersonationLog->admin_id !== $user->id) { return Response::deny('You can only view your own impersonation logs.'); } return Response::allow(); } }