How do I restrict who can impersonate users in Laravel

Here are the steps to restrict impersonation:

1. Add the Impersonate Trait to the User Model:

php
   namespace App\Models;

   use Illuminate\Foundation\Auth\User as Authenticatable;
   use Lab404\Impersonate\Models\Impersonate;

   class User extends Authenticatable
   {
       use Impersonate;

       // Your other methods...

       public function canImpersonate(User $user)
       {
           // Check if the user is an admin
           return $user->hasRole('admin');
       }
   }
   

2. Add the Impersonate Route Macro:

php
   namespace App\Providers;

   use Illuminate\Support\Facades\Route;
   use Lab404\Impersonate\ImpersonateServiceProvider;

   class RouteServiceProvider extends ServiceProvider
   {
       public function map()
       {
           Route::middleware('web')->group(function (Router $router) {
               $router->impersonate();
           });
       }
   }
   

3. Impersonate and Leave Impersonation Methods in the Controller:

php
   namespace App\Http\Controllers;

   use Illuminate\Http\Request;
   use Illuminate\Support\Facades\Auth;

   class UsersController extends Controller
   {
       public function impersonate(User $user)
       {
           Auth::user()->impersonate($user);
           return redirect()->route('home.index');
       }

       public function leaveImpersonation()
       {
           Auth::user()->leaveImpersonation();
           return redirect()->route('home.index');
       }
   }
   

4. Blade Directives for Impersonation:

php
   @role('admin')
   <td>
       @if($user->id != auth()->id())
           <a href="{{ route('users.impersonate', $user->id) }}" class="btn btn-warning btn-sm">Impersonate</a>
       @endif
   </td>
   @endrole
   

By implementing these steps, you ensure that only users with the specified role (e.g., 'admin') can impersonate other users. This provides a secure way to manage user impersonation in your Laravel application[1][3][5].