问题
In my application I can change user permissions and roles in backend.
When a user is logged in and I remove a role of the user, the user can still access content which he actually is not permitted to access anymore, because he is missing the role. The changes take effect only when the user reauthenticates himself with logout/login.
So my question is, can I access the session of a logged in user (not me)? I know I can access my own session and destroy it which forces me to login again. But I want to get the session of any user who is logged in. Is this possible? I could not find any resources about that.
I use PdoSessionStorage with symfony2.1 and fosuserbundle.
回答1:
Make your user class implement Symfony\Component\Security\Core\User\EquatableInterface.
If you return false from the isEqualTo() method, the user will be reauthenticated. Use that method to compare only those properties that when changed should force reauthentication — roles in your case.
回答2:
You can get around this issue by following an approach similar to what I did:
- When user logs in, store all permissions in session along with a checksum of those permissions.
- Store the same checksum in a database, or on disk, against that user ID
- Whenever the user makes a request, verify that the checksum on disk matches the one in session for that user. If it is different, reload the permissions into the user's session
- When you change the permissions, update the checksum in the database (or on disk) that is stored against that user. This will trigger a resync on their next request.
来源:https://stackoverflow.com/questions/15115882/force-reauthentication-after-user-permissions-have-been-changed