使 Symfony2 中特定用户的会话无效 [英] Invalidate session for a specific user in Symfony2
问题描述
我编写了一个系统,其中一个后台 PHP 进程(使用 RabbitMQBundle 编写)处理来自一个消息队列.工作进程更新用户帐户.这可能包括用户角色的变化.
I have written a system in which a background PHP process (written using the RabbitMQBundle) processes messages from a message queue. The worker process updates user accounts. This may include a change in the user roles.
问题是用户在登录时不会注意到他的角色有任何变化.新角色只有在注销并再次登录后才能应用.从安全角度来看,这是不可取的.一旦管理员在后端系统中剥夺了该用户的权限,该用户应立即失去任何角色.
The problem is that a user won't notice any changes in his roles while being logged in. The new roles only get applied after logging out and in again. From a security perspective this is not desirable. A user should loose any role as soon as an administrator takes away privileges from that user in the backend system.
问题是:如何使用新角色更新特定用户的会话?或者如果不可能,如何使会话失效?
The question is: How can a session for a specific user be updated with the new roles? Or when that is not possible, how can the session be invalidated?
请注意,在后台进程中,我们没有可以使用的活动 security.context
或 request
.因此,这样的代码不起作用:
Note that in the background process we don't have an active security.context
or request
that we can use. Code like this therefore doesn't work:
$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
推荐答案
您可以通过多种方式解决此问题:
You can solve this in several ways:
1) 通过 security.always_authenticate_before_granting
您可以强制 Symfony
在每个请求上刷新用户,有效地重新加载所有角色.
You can force Symfony
to refresh user on each request, effectively reloading all roles with it.
看到这个问题/答案:无需更改远程用户的角色重新登录
2) 通过EquatableInterface
:
您需要实现 isEqualsTo(User)
,这反过来应该将所有内容与 User
类进行比较,包括角色.
You need to implement isEqualsTo(User)
which in turn should compare everything with User
class, including roles.
请参阅此链接:创建用户班级
3) 最后,您可以使用DBMS
来存储会话.然后,只需找到记录并将其删除即可.
3) Finally, you can use DBMS
to store sessions. Then, it's just matter of find the record and delete it.
这篇关于使 Symfony2 中特定用户的会话无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!