Hello everyone!
This update is almost entirely about the admin area being able to do things to a live user instead of just looking at them. Previously the Users table was a list — now it's a control panel.
The Actions dropdown
Every row in the user table now has a proper Actions menu with everything you'd want at hand: view details, edit, masquerade (impersonate them so you can reproduce a bug from their seat), activate or deactivate, mark email verified, send a password reset, disable 2FA, force sign-out, and delete. It's implemented as a teleported dropdown — the menu renders into <body> so it floats above every other table row instead of getting clipped by the row boundary.
Masquerading is powered by lab404/laravel-impersonate. Super-admins get a "Leave impersonation" banner at the top of the page while they're masquerading, so you can't forget you're acting as someone else.
Live Force-Logout and Force-Reload over WebSockets
Laravel Reverb is now serving our WebSocket traffic, which unlocks a pair of admin actions that previously would have required the user to refresh:
- Force sign-out broadcasts a
ForceLogoutevent on the user's private channel. The browser hears it and drops the session immediately. - Force reload broadcasts
ForceReload, which causes the user's page to reload. Great for shoving a hotfix out to someone mid-session, and for kicking someone out of a page they shouldn't be on after their permissions have just been revoked.
Both events are tied to the signed-in user's channel, so you can't accidentally reload a stranger — only someone Reverb has authenticated.
Forced password-change flow
A super-admin can now "Force reset password" on any user. That generates a temporary password you see exactly once on screen, sets the user's password_change_required flag, and fires the ForceLogout event. Next time that user logs in, they get dropped onto a "choose a new password" screen and can't navigate anywhere else until they set one. It's the flow you'd expect from a corporate help desk — minus the awkward ticket number.
Same machinery backs the new-user invite flow, so invitees land on the password-setup screen the first time they sign in.
Changelog
- Full Actions dropdown on the Users table: details, edit, masquerade, activate/deactivate, verify email, password reset, disable 2FA, force reload, force sign-out, delete.
- Laravel Reverb installed; ForceLogout and ForceReload events broadcast live to the target user.
- Force-reset-password flow for super-admins: generates a one-time temp password and locks the user to a password-change screen on next login.
lab404/laravel-impersonateintegrated for masquerading.two_factor_confirmed_atnow casts to a proper datetime so the 2FA-enabled badge actually shows up in the table.- Cleaner 2FA-required flash banner when the admin area rejects you — no more Jetstream validation-error styling for what is really just a gate.
/ge(the GE dashboard) is now behind theview-gepermission.
So what's next? Backups, a real dev-tools drawer (Horizon, Telescope, Pulse), and a performance sweep — a handful of long-running commands have been stacking and leaking MySQL connections.
All the best, Austen