Impersonate will redirect even if other user cannot be impersonated

[AshleyMinshall]

Hi Not sure if it intended, but the code below will issue a 403 if the signed in user may not impersonate, but will redirect back if they can, but can't impersonate the user they are trying to impersonate.

        // vendor/lab404/laravel-impersonate/src/Controllers/ImpersonateController.php@45-60
        if (!$request->user()->canImpersonate()) {
            abort(403);
        }

        $userToImpersonate = $this->manager->findUserById($id, $guardName);

        if ($userToImpersonate->canBeImpersonated()) {
            if ($this->manager->take($request->user(), $userToImpersonate, $guardName)) {
                $takeRedirect = $this->manager->getTakeRedirectTo();
                if ($takeRedirect !== 'back') {
                    return redirect()->to($takeRedirect);
                }
            }
        }
        return redirect()->back();

This issue came up when I was testing. In my project, super-admins may impersonate any other user unless that user is a super-admin themself.

The test therefore would result in a redirect when a super-admin tried to impersonate another super-admin. I will get around this but further checking if the redirect route is back, just adding this incase it is not expected for anyone else who stumbles on this scenario.

Thanks Ashley

[MarceauKa]

Hi, thank you for your feedback! The ImpersonateController shipped with the package isn't intended to cover all purpose and as it is really simple, you should extend it by your own. Or feel free to make a PR :)

[AshleyMinshall]

Makes sense, will close