In real-life applications, administrators often need to view user dashboards or check access-related issues. The impersonate user in Laravel 12 feature allows an specific users like admin to log in as any user securely without needing their password. It helps resolve issues faster and ensures Laravel application bug free while maintaining proper access control.
Imagine a case when user is facing some issues like missing access to some modules or items on their account. Instead of relying on descriptions of user, you can just use the login as user feature to impersonate that user and see their experience directly. It saves time and improves support quality while keeping data secure and private.
When to Use Impersonate User Feature
Here are some typical scenarios where user impersonation can prove to be very useful:
- In order to check what a particular user will see on his dashboard.
- For debugging problems reported by the users without having to reset passwords.
- For checking role-based permissions or access controls.
- For checking UI or feature visibility for various types of users before they go live.
- To offer improved and quicker customer assistance.
- To check user-submitted data in real time.
- To inspect account-specific settings during QA testing.
Implementing Impersonate User in Laravel 12
Now let’s create a secure version of the impersonate a user in Laravel 12 feature. In this example, we will check user is admin and if user is admin then we will allow them to impersonate user to access other user’s information.
Adding Routes
For our example, you will need 2 routes. One will provide user to login as user feature and another one will be used to move them to their own profile or exit impersonate process.
Open routes/web.php file and add below routes:
<?php
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\ImpersonateController;
Route::middleware(['auth'])->group(function () {
Route::get('/impersonate/{id}', [ImpersonateController::class, 'impersonate'])->name('impersonate.start');
Route::get('/impersonate/stop', [ImpersonateController::class, 'stop'])->name('impersonate.stop');
});Creating the Impersonate Controller
Next thing, you need to handle actual logic for “Login as User” feature. This controller will handle whole functionality of impersonating User. Let’s create controller using below commnad:
php artisan make:controller ImpersonateControllerIt will create controller. Let’s modify it to add both impersonate methods.
<?php
namespace App\Http\Controllers;
use Illuminate\Support\Facades\Auth;
use App\Models\User;
class ImpersonateController extends Controller
{
public function impersonate($id)
{
$currentUser = Auth::user();
if ($currentUser->role !== 'admin') {
abort(403, 'Unauthorized action.');
}
$user = User::findOrFail($id);
if ($user->id === $currentUser->id) {
return redirect()->back()->with('error', 'Cannot impersonate yourself.');
}
session(['impersonate_original_id' => $currentUser->id]);
Auth::login($user);
return redirect('/')->with('message', 'Now impersonating user: ' . $user->name);
}
public function stop()
{
$originalId = session('impersonate_original_id');
if ($originalId) {
$originalUser = User::find($originalId);
Auth::login($originalUser);
session()->forget('impersonate_original_id');
}
return redirect('/')->with('message', 'Stopped impersonating user');
}
}The impersonate method will check user has admin access or not, maybe you have to customize this access check as per your role & permission rules. Then logout current user and log in using Auth::login() method. Here you can also use Auth::loginUsingId() but current method is idle for validating ID before moving user to login. Lastly, we will redirect to dashboard and then user will see dashboard as per selected user.
Front-end Update for Login as User Feature
At last, we need to add a way to user to impersonate user from front-end and exit from impersonating. Let’s modify blade files for allowing admin user to select another user. Also we need to show user a way to exit imersonating.
@if(auth()->user()->role === 'admin')
<h3>Select User to Impersonate</h3>
<form action="{{ route('impersonate.start', ['id' => '']) }}" method="GET" id="impersonateForm">
<select id="userSelect">
<option value="">-- Choose User --</option>
@foreach($users as $user)
<option value="{{ $user->id }}">{{ $user->name }} ({{ $user->email }})</option>
@endforeach
</select>
<button type="submit">Impersonate</button>
</form>
<script>
document.getElementById('impersonateForm').addEventListener('submit', function (e) {
e.preventDefault();
var userId = document.getElementById('userSelect').value;
if (userId) {
window.location.href = "{{ url('/impersonate') }}/" + userId;
}
});
</script>
@endif
@if(session()->has('impersonate_original_id'))
<a href="{{ route('impersonate.stop') }}">Stop Impersonation</a>
@endifAs a process, admin will select user from list and when he submit form it will be redirected to impersonate route and show message on success. Once user is using impersonate feature it will show an link to stop impersonate process.
This ensures that only admin users see and can use the impersonation feature, maintaining a secure and role-based control system.
Conclusion
The impersonate user in Laravel 12 feature allows admins to debug and test user accounts effectively with strict access control. The login as user feature is only accessible for admins to ensure security and role-based access. The feature makes it easier to preview user access and enhance overall application management.
If you want to implement an additional layer of security for your Laravel application, you can limit who visits your site according to their IP. Take a look at our in-depth guide “Restrict Website Access Based on IP Address In Laravel” to implement it without any hassles.