98 lines
3.2 KiB
PHP
98 lines
3.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Policies;
|
|
|
|
use App\enum\UserLevel;
|
|
use App\Models\User;
|
|
use App\Services\ImpersonationService;
|
|
use Illuminate\Auth\Access\Response;
|
|
|
|
final class ImpersonationPolicy
|
|
{
|
|
public function __construct(
|
|
private readonly ImpersonationService $impersonationService
|
|
) {}
|
|
|
|
public function start(User $admin, User $target): Response
|
|
{
|
|
// Only SUPERADMIN can impersonate
|
|
if ($admin->user_level !== UserLevel::SUPERADMIN) {
|
|
return Response::deny('Only SUPERADMIN users can impersonate other users.');
|
|
}
|
|
|
|
// Cannot impersonate other SUPERADMIN users
|
|
if ($target->user_level === UserLevel::SUPERADMIN) {
|
|
return Response::deny('Cannot impersonate SUPERADMIN users.');
|
|
}
|
|
|
|
// Cannot impersonate self
|
|
if ($admin->id === $target->id) {
|
|
return Response::deny('Cannot impersonate yourself.');
|
|
}
|
|
|
|
// Can only impersonate NORMALUSER
|
|
if ($target->user_level !== UserLevel::NORMALUSER) {
|
|
return Response::deny('Can only impersonate NORMALUSER accounts.');
|
|
}
|
|
|
|
// Check if admin is already impersonating someone
|
|
if ($this->impersonationService->isImpersonating()) {
|
|
return Response::deny('You are already impersonating another user. Please stop the current impersonation first.');
|
|
}
|
|
|
|
// Rate limiting: Check if admin has too many recent impersonation attempts
|
|
$recentAttempts = $admin->impersonationLogs()
|
|
->where('start_time', '>', now()->subHours(1))
|
|
->count();
|
|
|
|
if ($recentAttempts >= 10) {
|
|
return Response::deny('Too many impersonation attempts. Please try again later.');
|
|
}
|
|
|
|
return Response::allow();
|
|
}
|
|
|
|
public function stop(User $user): Response
|
|
{
|
|
// Only users who are currently impersonating can stop impersonation
|
|
if (! $this->impersonationService->isImpersonating()) {
|
|
return Response::deny('No active impersonation session found.');
|
|
}
|
|
|
|
// The original admin user must be the one stopping the impersonation
|
|
$impersonator = $this->impersonationService->getCurrentImpersonator();
|
|
if (! $impersonator || $impersonator->id !== $user->id) {
|
|
return Response::deny('You are not authorized to stop this impersonation session.');
|
|
}
|
|
|
|
return Response::allow();
|
|
}
|
|
|
|
public function viewAny(User $user): Response
|
|
{
|
|
// Only SUPERADMIN can view impersonation logs
|
|
if ($user->user_level !== UserLevel::SUPERADMIN) {
|
|
return Response::deny('Only SUPERADMIN users can view impersonation logs.');
|
|
}
|
|
|
|
return Response::allow();
|
|
}
|
|
|
|
public function view(User $user, $impersonationLog): Response
|
|
{
|
|
// Only SUPERADMIN can view specific impersonation logs
|
|
if ($user->user_level !== UserLevel::SUPERADMIN) {
|
|
return Response::deny('Only SUPERADMIN users can view impersonation logs.');
|
|
}
|
|
|
|
// Users can only view logs where they are the admin
|
|
if ($impersonationLog->admin_id !== $user->id) {
|
|
return Response::deny('You can only view your own impersonation logs.');
|
|
}
|
|
|
|
return Response::allow();
|
|
}
|
|
}
|