feat: add impersonate #141
Conversation
WalkthroughAdds a composer dependency for Filament impersonation; adds an Impersonate record action to the users table; renames Dashboard → UserDashboard across code and tests; removes Dashboard page registration from the user panel provider; and extends the base seeder to create additional users and related records. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
| "predis/predis": "^2.4.1", | ||
| "ryangjchandler/commonmark-blade-block": "^1.1", | ||
| "spatie/laravel-medialibrary": "^11.17.5", | ||
| "stechstudio/filament-impersonate": "^4.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
stechstudio/filament-impersonate Packagist package
💡 Result:
stechstudio/filament-impersonate — summary
- What it is: a Filament plugin that lets admins impersonate users (uses 404labfr/laravel-impersonate). [1][2]
- Latest Packagist version: 4.0.1 (released 2025-08-13). [1]
- Requirements (example): filament/filament ^4.0 and lab404/laravel-impersonate ^1.7. [1]
- Installs / popularity: ~1.97M installs, ~355 stars on GitHub. [1][2]
- Source / repo: github.com/stechstudio/filament-impersonate. [2]
Install: composer require stechstudio/filament-impersonate. [1]
Sources: Packagist package page and project GitHub. [1][2]
🏁 Script executed:
#!/bin/bash
# Check what files changed in this PR to see if implementation code is included
git diff --name-only HEAD~1 HEAD 2>/dev/null | head -20 || echo "Git history not available"
# Also check composer.json to see all changes
git diff HEAD~1 HEAD composer.json 2>/dev/null || echo "Could not get git diff"Repository: he4rt/he4rt-bot-api
Length of output: 85
🌐 Web query:
stechstudio/filament-impersonate security CVE vulnerability
💡 Result:
I found no CVE or public security advisory specifically for stechstudio/filament-impersonate. The repository itself is active on GitHub [1]. The notable Filament security issues that do have CVEs (e.g., CVE-2024-47186 affecting Filament core color components) are for the Filament project, not the stechstudio/filament-impersonate plugin [2]. Public CVE aggregators and advisories list Filament/core vulnerabilities but do not show a CVE entry for stechstudio/filament-impersonate [3].
If you want, I can:
- monitor the repo’s GitHub Security Advisories and Dependabot alerts and notify you of any new advisories, or
- scan your project for usage of this package and suggest mitigations.
Sources: GitHub repo (stechstudio/filament-impersonate) [1]; Filament CVE example (CVE-2024-47186) analysis [2]; CVE/advisory aggregator listings (no CVE for that plugin) [3].
🏁 Script executed:
#!/bin/bash
# Check if there are any implementation files for impersonate feature
# Look for config files, middleware, routes, controllers, or service providers
echo "=== Checking for impersonate-related implementation files ==="
fd -e php | xargs grep -l "impersonate\|Impersonate" 2>/dev/null | head -20
echo ""
echo "=== Checking for new files in config directory ==="
find . -path ./vendor -prune -o -type f -name "*impersonate*" -print 2>/dev/null
echo ""
echo "=== Checking composer.json changes ==="
cat composer.json | grep -A2 -B2 "filament-impersonate"Repository: he4rt/he4rt-bot-api
Length of output: 471
PR adds only the composer dependency; implementation code is missing.
The package stechstudio/filament-impersonate (v4.0.1) is legitimate, well-maintained (1.97M installs, 355 stars), and has no known security vulnerabilities. Version ^4.0 is fully compatible with Laravel 12.40.2 and Filament ^4.2.3 (package requires filament/filament ^4.0).
However, this PR contains only the composer.json change. No implementation files (config, routes, middleware, service provider registration, etc.) were added. The impersonate feature will not function until these are included.
🤖 Prompt for AI Agents
In composer.json at line 49, the PR adds the dependency
stechstudio/filament-impersonate but provides no implementation; add the missing
integration artifacts so the package actually works: register the package's
service provider (or add to the app providers array), add/publish and include
the package config file, wire up any required routes and middleware (and
register the middleware in kernel or Filament auth stack), and ensure any
required views/publishable assets are published and referenced; update
documentation or README and include tests or a simple usage example showing an
admin can impersonate a user.
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
app-modules/user/src/Filament/Admin/Resources/Users/Tables/UsersTable.php(2 hunks)app-modules/user/src/Filament/User/Pages/UserDashboard.php(2 hunks)app-modules/user/src/Plugins/AppUserPanelPlugin.php(2 hunks)app-modules/user/tests/Feature/Filament/App/Pages/DashboardPageTest.php(3 hunks)app/Providers/Filament/UserPanelProvider.php(0 hunks)database/seeders/BaseSeeder.php(1 hunks)
💤 Files with no reviewable changes (1)
- app/Providers/Filament/UserPanelProvider.php
🧰 Additional context used
🧬 Code graph analysis (3)
app-modules/user/src/Plugins/AppUserPanelPlugin.php (1)
app-modules/user/src/Filament/User/Pages/UserDashboard.php (1)
UserDashboard(12-30)
database/seeders/BaseSeeder.php (5)
app-modules/provider/src/Models/Provider.php (2)
user(59-62)Provider(28-96)app-modules/user/src/Entities/InformationEntity.php (1)
update(36-44)app-modules/character/src/Models/Character.php (1)
Character(28-128)app-modules/user/src/Models/Information.php (1)
Information(13-43)app-modules/user/src/Models/Address.php (1)
Address(21-49)
app-modules/user/tests/Feature/Filament/App/Pages/DashboardPageTest.php (1)
app-modules/user/src/Filament/User/Pages/UserDashboard.php (1)
UserDashboard(12-30)
🔇 Additional comments (4)
app-modules/user/src/Filament/User/Pages/UserDashboard.php (2)
12-12: LGTM on the class rename.The rename from
DashboardtoUserDashboardis consistent with the updates in tests, plugins, and panel providers.
28-28: Good defensive null-safe access.The null-safe operator handles the edge case where
$this->tenantmight be null (user not a member of the current tenant). However, iftenantis null,stats()will return null, so ensure the view (users::filament.app-dashboard) gracefully handles a null character.app-modules/user/src/Plugins/AppUserPanelPlugin.php (1)
11-11: LGTM!The import and page registration correctly reference the renamed
UserDashboardclass.Also applies to: 25-25
app-modules/user/tests/Feature/Filament/App/Pages/DashboardPageTest.php (1)
10-10: LGTM!The test correctly updates all references from
DashboardtoUserDashboard, maintaining consistency with the renamed class.Also applies to: 46-46, 53-53, 63-63
| Impersonate::make() | ||
| ->visible(fn (User $record) => (bool) $record->character?->tenant?->slug) | ||
| ->redirectTo(function (User $record): string { | ||
| $tenantName = $record->character?->tenant?->slug; | ||
|
|
||
| return '/app/'.$tenantName; | ||
| }), |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# First, find the User model file to check the character relationship definition
find . -type f -name "*.php" | grep -i "models/User" | head -5Repository: he4rt/he4rt-bot-api
Length of output: 101
🏁 Script executed:
#!/bin/bash
# Read the User model to examine the character relationship
wc -l ./app-modules/user/src/Models/User.phpRepository: he4rt/he4rt-bot-api
Length of output: 105
🏁 Script executed:
#!/bin/bash
# Read the full User model to see the character relationship
cat -n ./app-modules/user/src/Models/User.phpRepository: he4rt/he4rt-bot-api
Length of output: 5473
🏁 Script executed:
#!/bin/bash
# Find the Character model
find . -type f -name "*.php" | grep -i "models/Character" | head -5Repository: he4rt/he4rt-bot-api
Length of output: 111
🏁 Script executed:
#!/bin/bash
# Read the Character model
wc -l ./app-modules/character/src/Models/Character.phpRepository: he4rt/he4rt-bot-api
Length of output: 115
🏁 Script executed:
#!/bin/bash
# Read the Character model
cat -n ./app-modules/character/src/Models/Character.phpRepository: he4rt/he4rt-bot-api
Length of output: 4051
🏁 Script executed:
#!/bin/bash
# Check if there's a HasMany characters relationship on User (maybe I missed it)
rg -A2 -B2 "hasMany.*[Cc]haracter|characters\(" ./app-modules/user/src/Models/User.phpRepository: he4rt/he4rt-bot-api
Length of output: 45
🏁 Script executed:
#!/bin/bash
# Check if Character model uses SoftDeletes
rg -n "SoftDelete" ./app-modules/character/src/Models/Character.phpRepository: he4rt/he4rt-bot-api
Length of output: 45
🏁 Script executed:
#!/bin/bash
# Find the characters table migration
find . -type f -name "*create_characters_table*"Repository: he4rt/he4rt-bot-api
Length of output: 152
🏁 Script executed:
#!/bin/bash
# Read the migration file
cat -n ./app-modules/character/database/migrations/2023_01_14_053138_create_characters_table.phpRepository: he4rt/he4rt-bot-api
Length of output: 1247
🏁 Script executed:
#!/bin/bash
# Find migrations that add tenant_id to characters
find . -type f -name "*characters*" -path "*/migrations/*" | xargs grep -l "tenant_id" 2>/dev/nullRepository: he4rt/he4rt-bot-api
Length of output: 47
🏁 Script executed:
#!/bin/bash
# Find all character migrations and search for tenant_id
find ./app-modules/character/database/migrations -type f -name "*.php" -exec grep -l "tenant_id" {} \;Repository: he4rt/he4rt-bot-api
Length of output: 45
🏁 Script executed:
#!/bin/bash
# Search all migrations for tenant_id
find . -type f -path "*/migrations/*.php" -exec grep -l "tenant_id" {} \; | head -10Repository: he4rt/he4rt-bot-api
Length of output: 494
🏁 Script executed:
#!/bin/bash
# Read UsersTable.php to see the full context
cat -n ./app-modules/user/src/Filament/Admin/Resources/Users/Tables/UsersTable.phpRepository: he4rt/he4rt-bot-api
Length of output: 1951
🏁 Script executed:
#!/bin/bash
# Search for tests or code that might create multiple characters per user
rg -n "character|Character" ./app-modules/character/src/Database/Factories/ 2>/dev/null | head -20Repository: he4rt/he4rt-bot-api
Length of output: 45
🏁 Script executed:
#!/bin/bash
# Find CharacterFactory
find . -type f -name "*CharacterFactory*"Repository: he4rt/he4rt-bot-api
Length of output: 126
Consider adding a fallback for edge cases where tenant becomes null or is unexpectedly missing.
The code uses $record->character (a HasOne relationship returning one character per user), so the concern about multiple characters across tenants is not architecturally enforced at the model level. However, while the visible() guard checks for a non-null tenant slug, the redirectTo() callback could theoretically receive a null $tenantName if the tenant relationship is unexpectedly missing or becomes null between the two checks, resulting in '/app/' as the redirect target.
The suggested defensive fallback is reasonable:
Impersonate::make()
->visible(fn (User $record) => (bool) $record->character?->tenant?->slug)
->redirectTo(function (User $record): string {
- $tenantName = $record->character?->tenant?->slug;
+ $tenantName = $record->character?->tenant?->slug ?? '';
+
+ if (empty($tenantName)) {
+ return '/admin';
+ }
return '/app/'.$tenantName;
}),📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Impersonate::make() | |
| ->visible(fn (User $record) => (bool) $record->character?->tenant?->slug) | |
| ->redirectTo(function (User $record): string { | |
| $tenantName = $record->character?->tenant?->slug; | |
| return '/app/'.$tenantName; | |
| }), | |
| Impersonate::make() | |
| ->visible(fn (User $record) => (bool) $record->character?->tenant?->slug) | |
| ->redirectTo(function (User $record): string { | |
| $tenantName = $record->character?->tenant?->slug ?? ''; | |
| if (empty($tenantName)) { | |
| return '/admin'; | |
| } | |
| return '/app/'.$tenantName; | |
| }), |
🤖 Prompt for AI Agents
In app-modules/user/src/Filament/Admin/Resources/Users/Tables/UsersTable.php
around lines 36–42, the Impersonate redirectTo() can build '/app/'.$tenantName
even if $tenantName becomes null between visible() and redirectTo(); update
redirectTo() to defensively check $tenantName and return a safe fallback when
missing — e.g., compute $tenantName = $record->character?->tenant?->slug; if
empty or null return '/app' (or another configured safe route) else return
'/app/'.$tenantName ensuring the callback always returns a non-empty string.
| User::factory() | ||
| ->count(5) | ||
| ->create() | ||
| ->each(function (User $user, $index) use ($tenant): void { | ||
| $idx = $index + 1; | ||
| $user->update([ | ||
| 'username' => 'fake_user_'.$idx, | ||
| 'name' => 'Fake User '.$idx, | ||
| ]); | ||
| Character::factory()->recycle($user)->recycle($tenant)->create(); | ||
| Information::factory()->recycle($user)->create(); | ||
| Address::factory()->recycle($user)->create(); | ||
| Provider::factory()->recycle($user)->recycle($tenant)->create(); | ||
| }); |
There was a problem hiding this comment.
New users are not attached as tenant members.
The admin user is attached to the tenant via $tenant->members()->attach($user) (line 41), but these 5 additional users are not. This may cause issues when testing impersonation or tenant-scoped features, as these users won't be recognized as tenant members despite having Characters and Providers linked to the tenant.
Consider attaching new users to the tenant:
User::factory()
->count(5)
->create()
->each(function (User $user, $index) use ($tenant): void {
$idx = $index + 1;
$user->update([
'username' => 'fake_user_'.$idx,
'name' => 'Fake User '.$idx,
]);
+ $tenant->members()->attach($user);
Character::factory()->recycle($user)->recycle($tenant)->create();
Information::factory()->recycle($user)->create();
Address::factory()->recycle($user)->create();
Provider::factory()->recycle($user)->recycle($tenant)->create();
});📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| User::factory() | |
| ->count(5) | |
| ->create() | |
| ->each(function (User $user, $index) use ($tenant): void { | |
| $idx = $index + 1; | |
| $user->update([ | |
| 'username' => 'fake_user_'.$idx, | |
| 'name' => 'Fake User '.$idx, | |
| ]); | |
| Character::factory()->recycle($user)->recycle($tenant)->create(); | |
| Information::factory()->recycle($user)->create(); | |
| Address::factory()->recycle($user)->create(); | |
| Provider::factory()->recycle($user)->recycle($tenant)->create(); | |
| }); | |
| User::factory() | |
| ->count(5) | |
| ->create() | |
| ->each(function (User $user, $index) use ($tenant): void { | |
| $idx = $index + 1; | |
| $user->update([ | |
| 'username' => 'fake_user_'.$idx, | |
| 'name' => 'Fake User '.$idx, | |
| ]); | |
| $tenant->members()->attach($user); | |
| Character::factory()->recycle($user)->recycle($tenant)->create(); | |
| Information::factory()->recycle($user)->create(); | |
| Address::factory()->recycle($user)->create(); | |
| Provider::factory()->recycle($user)->recycle($tenant)->create(); | |
| }); |
🤖 Prompt for AI Agents
In database/seeders/BaseSeeder.php around lines 53 to 66, the five created users
are not being attached as members of the tenant which will break tenant-scoped
behavior; within the each(...) closure after creating/updating the user, call
the tenant membership attach method (e.g. $tenant->members()->attach($user->id)
or $tenant->members()->syncWithoutDetaching([$user->id]) so existing members are
preserved) — include any required pivot data (role, joined_at) if your tenants
expect it, and do this before creating tenant-scoped child factories so those
relations will resolve correctly.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
app-modules/user/tests/Feature/Filament/Admin/Resources/User/ListUsersTest.php (1)
10-11: Auth setup for ListUsers looks good; consider explicit admin state for clarityCreating a separate
$adminand calling$this->actingAs($admin)before renderingListUsersis the right move to ensure the page is exercised in an authenticated context and not redirected by middleware. If your domain uses roles/permissions to guard this resource, consider switching to an explicit admin factory state (e.g.User::factory()->admin()->create()) or adding the required role to$adminso the test clearly reflects the intent that this is an authorized admin user.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
app-modules/user/tests/Feature/Filament/Admin/Resources/User/ListUsersTest.php(1 hunks)
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.