在用户权限被改变后强制重新认证[英] Force reauthentication after user permissions have been changed

本文是小编为大家收集整理的关于在用户权限被改变后强制重新认证的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。

问题描述

在我的应用程序中,我可以更改后端的用户权限和角色.

当用户登录并删除用户的角色时,用户仍然可以访问他实际上不再访问的内容,因为他缺少该角色.仅当用户通过注销/登录重新验证自己时,更改才会生效.

所以我的问题是,我可以访问已登录的用户(不是我)的会话吗?我知道我可以访问自己的会话并销毁它,从而迫使我再次登录.但是我想获得登录的任何用户的会话.这是可能的吗?我找不到任何资源.

我使用 rel = pdoSessionStorage 与Symfony2一起.1和fosuserbundle.

推荐答案

使您的用户类实施Symfony\Component\Security\Core\User\EquatableInterface.

如果您从isEqualTo()方法返回false,将重新验证用户.使用该方法仅比较那些应迫使重新验证的属性 - 在您的情况下角色.

其他推荐答案

您可以遵循类似于我所做的方法来解决这个问题:

  1. 当用户登录时,将所有权限存储在会话中以及这些权限的校验和.
  2. 与该用户ID
  3. 一起存储相同的校验和在数据库
  4. 每当用户提出请求时,请验证磁盘上的校验和匹配该用户的会话中的一个.如果有所不同,请重新加载权限到用户的会话
  5. 更改权限时,请更新针对该用户的数据库(或磁盘)中的校验和.这将触发他们的下一个请求.

本文地址:https://www.itbaoku.cn/post/2090764.html

问题描述

In my application I can change user permissions and roles in backend.

When a user is logged in and I remove a role of the user, the user can still access content which he actually is not permitted to access anymore, because he is missing the role. The changes take effect only when the user reauthenticates himself with logout/login.

So my question is, can I access the session of a logged in user (not me)? I know I can access my own session and destroy it which forces me to login again. But I want to get the session of any user who is logged in. Is this possible? I could not find any resources about that.

I use PdoSessionStorage with symfony2.1 and fosuserbundle.

推荐答案

Make your user class implement Symfony\Component\Security\Core\User\EquatableInterface.

If you return false from the isEqualTo() method, the user will be reauthenticated. Use that method to compare only those properties that when changed should force reauthentication — roles in your case.

其他推荐答案

You can get around this issue by following an approach similar to what I did:

  1. When user logs in, store all permissions in session along with a checksum of those permissions.
  2. Store the same checksum in a database, or on disk, against that user ID
  3. Whenever the user makes a request, verify that the checksum on disk matches the one in session for that user. If it is different, reload the permissions into the user's session
  4. When you change the permissions, update the checksum in the database (or on disk) that is stored against that user. This will trigger a resync on their next request.