Skip to content

feat: add impersonate #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Clintonrocha98 wants to merge 6 commits into
base: 3.x
Choose a base branch
from
Open

feat: add impersonate #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3b6fd3c
wip
Clintonrocha98 Nov 27, 2025
0c4e554
wip
Clintonrocha98 Nov 27, 2025
9a8ce65
feat(users): enhance impersonation action with tenant-based visibilit…
Clintonrocha98 Nov 28, 2025
b9f02cd
feat(user-dashboard): rename Dashboard to UserDashboard and update re…
Clintonrocha98 Nov 28, 2025
3910111
feat(seeder): add user and related data generation in BaseSeeder
Clintonrocha98 Nov 28, 2025
e883152
wip
Clintonrocha98 Nov 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions app-modules/user/src/Filament/Admin/Resources/Users/Tables/UsersTable.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
use Filament\Tables\Columns\IconColumn;
use Filament\Tables\Columns\TextColumn;
use Filament\Tables\Table;
use He4rt\User\Models\User;
use STS\FilamentImpersonate\Actions\Impersonate;

class UsersTable
{
Expand All @@ -31,6 +33,13 @@ public static function configure(Table $table): Table
])
->recordActions([
EditAction::make(),
Impersonate::make()
->visible(fn (User $record) => (bool) $record->character?->tenant?->slug)
->redirectTo(function (User $record): string {
$tenantName = $record->character?->tenant?->slug;

return '/app/'.$tenantName;
}),
Comment on lines +36 to +42
Copy link

@coderabbitai coderabbitai bot Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, find the User model file to check the character relationship definition
find . -type f -name "*.php" | grep -i "models/User" | head -5

Repository: he4rt/he4rt-bot-api

Length of output: 101

🏁 Script executed:

#!/bin/bash
# Read the User model to examine the character relationship
wc -l ./app-modules/user/src/Models/User.php

Repository: he4rt/he4rt-bot-api

Length of output: 105

🏁 Script executed:

#!/bin/bash
# Read the full User model to see the character relationship
cat -n ./app-modules/user/src/Models/User.php

Repository: he4rt/he4rt-bot-api

Length of output: 5473

🏁 Script executed:

#!/bin/bash
# Find the Character model
find . -type f -name "*.php" | grep -i "models/Character" | head -5

Repository: he4rt/he4rt-bot-api

Length of output: 111

🏁 Script executed:

#!/bin/bash
# Read the Character model
wc -l ./app-modules/character/src/Models/Character.php

Repository: he4rt/he4rt-bot-api

Length of output: 115

🏁 Script executed:

#!/bin/bash
# Read the Character model
cat -n ./app-modules/character/src/Models/Character.php

Repository: he4rt/he4rt-bot-api

Length of output: 4051

🏁 Script executed:

#!/bin/bash
# Check if there's a HasMany characters relationship on User (maybe I missed it)
rg -A2 -B2 "hasMany.*[Cc]haracter|characters\(" ./app-modules/user/src/Models/User.php

Repository: he4rt/he4rt-bot-api

Length of output: 45

🏁 Script executed:

#!/bin/bash
# Check if Character model uses SoftDeletes
rg -n "SoftDelete" ./app-modules/character/src/Models/Character.php

Repository: he4rt/he4rt-bot-api

Length of output: 45

🏁 Script executed:

#!/bin/bash
# Find the characters table migration
find . -type f -name "*create_characters_table*"

Repository: he4rt/he4rt-bot-api

Length of output: 152

🏁 Script executed:

#!/bin/bash
# Read the migration file
cat -n ./app-modules/character/database/migrations/2023_01_14_053138_create_characters_table.php

Repository: he4rt/he4rt-bot-api

Length of output: 1247

🏁 Script executed:

#!/bin/bash
# Find migrations that add tenant_id to characters
find . -type f -name "*characters*" -path "*/migrations/*" | xargs grep -l "tenant_id" 2>/dev/null

Repository: he4rt/he4rt-bot-api

Length of output: 47

🏁 Script executed:

#!/bin/bash
# Find all character migrations and search for tenant_id
find ./app-modules/character/database/migrations -type f -name "*.php" -exec grep -l "tenant_id" {} \;

Repository: he4rt/he4rt-bot-api

Length of output: 45

🏁 Script executed:

#!/bin/bash
# Search all migrations for tenant_id
find . -type f -path "*/migrations/*.php" -exec grep -l "tenant_id" {} \; | head -10

Repository: he4rt/he4rt-bot-api

Length of output: 494

🏁 Script executed:

#!/bin/bash
# Read UsersTable.php to see the full context
cat -n ./app-modules/user/src/Filament/Admin/Resources/Users/Tables/UsersTable.php

Repository: he4rt/he4rt-bot-api

Length of output: 1951

🏁 Script executed:

#!/bin/bash
# Search for tests or code that might create multiple characters per user
rg -n "character|Character" ./app-modules/character/src/Database/Factories/ 2>/dev/null | head -20

Repository: he4rt/he4rt-bot-api

Length of output: 45

🏁 Script executed:

#!/bin/bash
# Find CharacterFactory
find . -type f -name "*CharacterFactory*"

Repository: he4rt/he4rt-bot-api

Length of output: 126

Consider adding a fallback for edge cases where tenant becomes null or is unexpectedly missing.

The code uses $record->character (a HasOne relationship returning one character per user), so the concern about multiple characters across tenants is not architecturally enforced at the model level. However, while the visible() guard checks for a non-null tenant slug, the redirectTo() callback could theoretically receive a null $tenantName if the tenant relationship is unexpectedly missing or becomes null between the two checks, resulting in '/app/' as the redirect target.

The suggested defensive fallback is reasonable:

                 Impersonate::make()
                     ->visible(fn (User $record) => (bool) $record->character?->tenant?->slug)
                     ->redirectTo(function (User $record): string {
-                        $tenantName = $record->character?->tenant?->slug;
+                        $tenantName = $record->character?->tenant?->slug ?? '';
+                        
+                        if (empty($tenantName)) {
+                            return '/admin';
+                        }

                         return '/app/'.$tenantName;
                     }),
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Impersonate::make()
->visible(fn (User $record) => (bool) $record->character?->tenant?->slug)
->redirectTo(function (User $record): string {
$tenantName = $record->character?->tenant?->slug;
return '/app/'.$tenantName;
}),
Impersonate::make()
->visible(fn (User $record) => (bool) $record->character?->tenant?->slug)
->redirectTo(function (User $record): string {
$tenantName = $record->character?->tenant?->slug ?? '';
if (empty($tenantName)) {
return '/admin';
}
return '/app/'.$tenantName;
}),
🤖 Prompt for AI Agents 
In app-modules/user/src/Filament/Admin/Resources/Users/Tables/UsersTable.php
around lines 36–42, the Impersonate redirectTo() can build '/app/'.$tenantName
even if $tenantName becomes null between visible() and redirectTo(); update
redirectTo() to defensively check $tenantName and return a safe fallback when
missing — e.g., compute $tenantName = $record->character?->tenant?->slug; if
empty or null return '/app' (or another configured safe route) else return
'/app/'.$tenantName ensuring the callback always returns a non-empty string.

])
->toolbarActions([
BulkActionGroup::make([
Expand Down
4 changes: 2 additions & 2 deletions ...ser/src/Filament/User/Pages/Dashboard.php → ...src/Filament/User/Pages/UserDashboard.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
use He4rt\Tenant\Models\Tenant;
use Livewire\Attributes\Computed;

class Dashboard extends FilamentDashboard
class UserDashboard extends FilamentDashboard
{
protected string $view = 'users::filament.app-dashboard';

Expand All @@ -25,6 +25,6 @@ public function mount(): void
#[Computed]
public function stats()
{
return auth()->user()->character()->where('tenant_id', '=', $this->tenant->getKey())->first();
return auth()->user()->character()->where('tenant_id', '=', $this->tenant?->getKey())->first();
}
}
4 changes: 2 additions & 2 deletions app-modules/user/src/Plugins/AppUserPanelPlugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
use Filament\Contracts\Plugin;
use Filament\Panel;
use He4rt\Events\Filament\App\EventModels\Widgets\LatestEvents;
use He4rt\User\Filament\User\Pages\Dashboard;
use He4rt\User\Filament\User\Pages\UserDashboard;
use He4rt\User\Filament\User\Pages\UserProfile;

class AppUserPanelPlugin implements Plugin
Expand All @@ -22,7 +22,7 @@ public function register(Panel $panel): void
{
$panel->pages([
UserProfile::class,
Dashboard::class,
UserDashboard::class,
]);
$panel->widgets([
LatestEvents::class,
Expand Down
3 changes: 2 additions & 1 deletion app-modules/user/tests/Feature/Filament/Admin/Resources/User/ListUsersTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@

it('renders the list of users', function (): void {
$users = User::factory()->count(5)->create();

$admin = User::factory()->create();
$this->actingAs($admin);
$this->livewire(ListUsers::class)
->assertOk()
->assertCanSeeTableRecords($users);
Expand Down
8 changes: 4 additions & 4 deletions app-modules/user/tests/Feature/Filament/App/Pages/DashboardPageTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
use He4rt\Events\Models\EventModel;
use He4rt\Season\Models\Season;
use He4rt\Tenant\Models\Tenant;
use He4rt\User\Filament\User\Pages\Dashboard;
use He4rt\User\Filament\User\Pages\UserDashboard;
use He4rt\User\Models\User;
use Illuminate\Support\Facades\Date;

Expand Down Expand Up @@ -43,14 +43,14 @@
});

it('should render', function (): void {
livewire(Dashboard::class)
livewire(UserDashboard::class)
->assertOk();
});

it('should be able to see user experience/stats', function (): void {
$nextLevelXp = $this->character->percentageExperience + $this->character->experience;

livewire(Dashboard::class)
livewire(UserDashboard::class)
->assertOk()
->assertSeeTextInOrder(['Level', $this->character->level])
->assertSeeTextInOrder(['Reputation', $this->character->reputation])
Expand All @@ -60,7 +60,7 @@

it('should be able to see events details', function (): void {
$this->events->each(function (EventModel $event): void {
livewire(Dashboard::class)
livewire(UserDashboard::class)
->assertOk()
->assertSeeText($event->title)
->assertSeeText(Date::parse($event->starts_at)->format('d/m/Y H:i'))
Expand Down
4 changes: 0 additions & 4 deletions app/Providers/Filament/UserPanelProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
use Filament\PanelProvider;
use Filament\Support\Colors\Color;
use He4rt\Tenant\Models\Tenant;
use He4rt\User\Filament\User\Pages\Dashboard;
use He4rt\User\Filament\User\Pages\UserProfile;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Illuminate\Cookie\Middleware\EncryptCookies;
Expand Down Expand Up @@ -47,9 +46,6 @@ public function panel(Panel $panel): Panel
])
->discoverResources(in: app_path('Filament/Resources'), for: 'App\Filament\Resources')
->discoverPages(in: app_path('Filament/Pages'), for: 'App\Filament\Pages')
->pages([
Dashboard::class,
])
->discoverWidgets(in: app_path('Filament/Widgets'), for: 'App\Filament\Widgets')
->middleware([
EncryptCookies::class,
Expand Down
1 change: 1 addition & 0 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
"predis/predis": "^2.4.1",
"ryangjchandler/commonmark-blade-block": "^1.1",
"spatie/laravel-medialibrary": "^11.17.5",
"stechstudio/filament-impersonate": "^4.0",
Copy link

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

stechstudio/filament-impersonate Packagist package

💡 Result:

stechstudio/filament-impersonate — summary

  • What it is: a Filament plugin that lets admins impersonate users (uses 404labfr/laravel-impersonate). [1][2]
  • Latest Packagist version: 4.0.1 (released 2025-08-13). [1]
  • Requirements (example): filament/filament ^4.0 and lab404/laravel-impersonate ^1.7. [1]
  • Installs / popularity: ~1.97M installs, ~355 stars on GitHub. [1][2]
  • Source / repo: github.com/stechstudio/filament-impersonate. [2]

Install: composer require stechstudio/filament-impersonate. [1]

Sources: Packagist package page and project GitHub. [1][2]

🏁 Script executed:

#!/bin/bash
# Check what files changed in this PR to see if implementation code is included
git diff --name-only HEAD~1 HEAD 2>/dev/null | head -20 || echo "Git history not available"

# Also check composer.json to see all changes
git diff HEAD~1 HEAD composer.json 2>/dev/null || echo "Could not get git diff"

Repository: he4rt/he4rt-bot-api

Length of output: 85

🌐 Web query:

stechstudio/filament-impersonate security CVE vulnerability

💡 Result:

I found no CVE or public security advisory specifically for stechstudio/filament-impersonate. The repository itself is active on GitHub [1]. The notable Filament security issues that do have CVEs (e.g., CVE-2024-47186 affecting Filament core color components) are for the Filament project, not the stechstudio/filament-impersonate plugin [2]. Public CVE aggregators and advisories list Filament/core vulnerabilities but do not show a CVE entry for stechstudio/filament-impersonate [3].

If you want, I can:

  • monitor the repo’s GitHub Security Advisories and Dependabot alerts and notify you of any new advisories, or
  • scan your project for usage of this package and suggest mitigations.

Sources: GitHub repo (stechstudio/filament-impersonate) [1]; Filament CVE example (CVE-2024-47186) analysis [2]; CVE/advisory aggregator listings (no CVE for that plugin) [3].

🏁 Script executed:

#!/bin/bash
# Check if there are any implementation files for impersonate feature
# Look for config files, middleware, routes, controllers, or service providers

echo "=== Checking for impersonate-related implementation files ==="
fd -e php | xargs grep -l "impersonate\|Impersonate" 2>/dev/null | head -20

echo ""
echo "=== Checking for new files in config directory ==="
find . -path ./vendor -prune -o -type f -name "*impersonate*" -print 2>/dev/null

echo ""
echo "=== Checking composer.json changes ==="
cat composer.json | grep -A2 -B2 "filament-impersonate"

Repository: he4rt/he4rt-bot-api

Length of output: 471

PR adds only the composer dependency; implementation code is missing.

The package stechstudio/filament-impersonate (v4.0.1) is legitimate, well-maintained (1.97M installs, 355 stars), and has no known security vulnerabilities. Version ^4.0 is fully compatible with Laravel 12.40.2 and Filament ^4.2.3 (package requires filament/filament ^4.0).

However, this PR contains only the composer.json change. No implementation files (config, routes, middleware, service provider registration, etc.) were added. The impersonate feature will not function until these are included.

🤖 Prompt for AI Agents 
In composer.json at line 49, the PR adds the dependency
stechstudio/filament-impersonate but provides no implementation; add the missing
integration artifacts so the package actually works: register the package's
service provider (or add to the app providers array), add/publish and include
the package config file, wire up any required routes and middleware (and
register the middleware in kernel or Filament auth stack), and ensure any
required views/publishable assets are published and referenced; update
documentation or README and include tests or a simple usage example showing an
admin can impersonate a user.

"symfony/browser-kit": "v7.0.8",
"torchlight/torchlight-commonmark": "^0.6.0",
"torchlight/torchlight-laravel": "^0.6.1"
Expand Down
113 changes: 111 additions & 2 deletions composer.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions database/seeders/BaseSeeder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,21 @@ public function run(): void
->recycle($tenant)
->createOne();

User::factory()
->count(5)
->create()
->each(function (User $user, $index) use ($tenant): void {
$idx = $index + 1;
$user->update([
'username' => 'fake_user_'.$idx,
'name' => 'Fake User '.$idx,
]);
Character::factory()->recycle($user)->recycle($tenant)->create();
Information::factory()->recycle($user)->create();
Address::factory()->recycle($user)->create();
Provider::factory()->recycle($user)->recycle($tenant)->create();
});
Comment on lines +53 to +66
Copy link

@coderabbitai coderabbitai bot Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

New users are not attached as tenant members.

The admin user is attached to the tenant via $tenant->members()->attach($user) (line 41), but these 5 additional users are not. This may cause issues when testing impersonation or tenant-scoped features, as these users won't be recognized as tenant members despite having Characters and Providers linked to the tenant.

Consider attaching new users to the tenant:

             User::factory()
             ->count(5)
             ->create()
             ->each(function (User $user, $index) use ($tenant): void {
                 $idx = $index + 1;
                 $user->update([
                     'username' => 'fake_user_'.$idx,
                     'name' => 'Fake User '.$idx,
                 ]);
+                $tenant->members()->attach($user);
                 Character::factory()->recycle($user)->recycle($tenant)->create();
                 Information::factory()->recycle($user)->create();
                 Address::factory()->recycle($user)->create();
                 Provider::factory()->recycle($user)->recycle($tenant)->create();
             });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
User::factory()
->count(5)
->create()
->each(function (User $user, $index) use ($tenant): void {
$idx = $index + 1;
$user->update([
'username' => 'fake_user_'.$idx,
'name' => 'Fake User '.$idx,
]);
Character::factory()->recycle($user)->recycle($tenant)->create();
Information::factory()->recycle($user)->create();
Address::factory()->recycle($user)->create();
Provider::factory()->recycle($user)->recycle($tenant)->create();
});
User::factory()
->count(5)
->create()
->each(function (User $user, $index) use ($tenant): void {
$idx = $index + 1;
$user->update([
'username' => 'fake_user_'.$idx,
'name' => 'Fake User '.$idx,
]);
$tenant->members()->attach($user);
Character::factory()->recycle($user)->recycle($tenant)->create();
Information::factory()->recycle($user)->create();
Address::factory()->recycle($user)->create();
Provider::factory()->recycle($user)->recycle($tenant)->create();
});
🤖 Prompt for AI Agents 
In database/seeders/BaseSeeder.php around lines 53 to 66, the five created users
are not being attached as members of the tenant which will break tenant-scoped
behavior; within the each(...) closure after creating/updating the user, call
the tenant membership attach method (e.g. $tenant->members()->attach($user->id)
or $tenant->members()->syncWithoutDetaching([$user->id]) so existing members are
preserved) — include any required pivot data (role, joined_at) if your tenants
expect it, and do this before creating tenant-scoped child factories so those
relations will resolve correctly.


EventModel::factory()
->withStatus()
->recycle($tenant)
Expand Down