Release v5.0.0 π
This is a major release featuring a completely revamped modern UI, improved security, better performance, and support for the latest Laravel ecosystem!
β¨ New Features & Improvements
1. Zero Dependencies (Vanilla JS & CSS)
We've completely dropped heavy frontend dependencies (jQuery, Select2) and the entire Node.js build ecosystem (Webpack, package.json, .nvmrc). The frontend is now 100% Vanilla JS and Vanilla CSS, drastically reducing the footprint!
2. Revamped UI
The impersonation widget has been rebuilt using modern Flexbox (replacing legacy <table> layouts). It now provides a cleaner, more responsive, and easily maintainable design.
3. Database Scoping Support (scopeImpersonatable)
Easily apply database-level filtering for who can be searched/impersonated. This dramatically improves performance and pagination accuracy.
Full support for traditional scopeMethod() conventions as well as Laravel 11+ #[Scope] attributes!
4. Plug-and-Play Trait Defaults
The HasImpersonation trait now comes with sensible defaults:
getImpersonateDisplayText()returns$this->namegetImpersonateSearchField()returns['name']
Meaning: Zero initial configuration is required for basic usage.
5. Fluent Backend Impersonation
Introduced a fluent shortcut to perform manual backend impersonation without passing the impersonator explicitly:
Impersonate::loginAs($user);6. Codebase Purity
Removed all PHPStan baseline suppressions. The codebase now natively passes PHPStan Level 9 strict typing analysis with zero errors.
π Security & Bug Fixes
-
[HIGH] Information Disclosure Fixed
Added proper authorization guards (403 Forbidden) to the API endpoints (/_impersonate/usersand/_impersonate/login). Unauthenticated or unauthorized users can no longer enumerate the user list. -
Pagination Accuracy
Applying the impersonation filter directly via query scope (rather than in-memory PHP filtering) fixes inaccurate.total()records returned by pagination queries. -
Robust Error Handling
Internal repository queries now catch structural exceptions and throw a cleanImpersonateExceptioninstead of leaking database/system errors to API consumers.
β Breaking Changes
-
Minimum Requirements Bumped:
Now requires PHP 8.2+ and Laravel 12.x / 13.x -
In-Memory Filtering Removed:
ImpersonateCollectionno longer filters impersonatable users in-memory after queries are executed. Database-level scoping viascopeImpersonatableis now the required approach. -
Config Keys Renamed:
The configuration for UI state is now properly grouped under theinterfacekey.impersonate.enabledβimpersonate.interface.enabled
-
ENV Variables Renamed:
All interface-related env keys are now consistently prefixed withIMPERSONATE_UI_.IMPERSONATE_ENABLEDβIMPERSONATE_UI_ENABLEDIMPERSONATE_WIDTHβIMPERSONATE_UI_WIDTHIMPERSONATE_DELAYβIMPERSONATE_UI_DEBOUNCE
π Upgrade Guide
Upgrading from v4.x? Please follow these 3 quick steps:
-
Update
.envVariables
Rename your existing keys to match the new prefix:IMPERSONATE_ENABLEDβIMPERSONATE_UI_ENABLEDIMPERSONATE_WIDTHβIMPERSONATE_UI_WIDTHIMPERSONATE_DELAYβIMPERSONATE_UI_DEBOUNCE
-
Update Config References
If you published the config, moveenabledinside theinterfacearray. -
Implement Database Scoping
AddscopeImpersonatable()(or use#[Scope]) on your User model to handle impersonation limits at the database query level. This fixes pagination and speeds up searches.
Full Changelog: v4.3.1...v5.0.0