If the user have impersonation permissions, it should be possible to impersonate the request.
The request should contain a header X-Act-As with the users email or user ud.
This is similar code from another project.
<?php
namespace App\Http\Middleware;
use App\Models\User;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class Impersonate
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
*
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
// Check if we have an impersonate header or request
if ($request->header('x-act-as')) {
/** @var \App\Models\User $user */
$user = $request->user();
if ($user && $user->can('impersonate Users')) {
// Find user to impersonate
$actAs = $request->header('x-act-as') ?? $request->input('impersonate_uuid');
$userQuery = User::query();
$userQuery->where(function ($query) use ($actAs) {
$query->where('uuid', $actAs);
$query->orWhere('email', $actAs);
});
/** @var \App\Models\User $impersonateUser */
$impersonateUser = $userQuery->first();
if ($impersonateUser) {
Auth::user()->impersonate($impersonateUser);
}
}
}
return $next($request);
}
}
If the user have impersonation permissions, it should be possible to impersonate the request. The request should contain a header X-Act-As with the users email or user ud.
This is similar code from another project.