FOSUserBundle/Symfony2:强制注销给定用户的用户(不是当前登录的用户) [英] FOSUserBundle/Symfony2: Force logout of a user given a user (not the currently logged in user)

问题描述

每当我编辑用户角色时，该用户都需要注销并重新登录以查看更改.升级用户没有问题，因为他们只有重新登录才能看到额外的权限.但是，当降级发生时，用户仍将保留其现有角色，这会带来安全风险.想象一下撤销一个无赖雇员的管理员用户，并且仍然让他们能够执行任何操作(例如破坏系统)，直到他们注销！

Whenever I edit a user's role, the user needs to logout and log back in to see the changes. There's no problem when promoting a user as they just won't see the extra permissions until signing in again. However, when a demotion was to occur, a user will still keep its existing role which impose security risks. Imagine revoking admin user on a rogue employee, and still have them be able to do anything (eg. sabotaging the system) until they log out!

是否可以使与特定用户相关的所有会话或令牌无效?如果有另一种方法可以动态更新用户角色而无需注销他们，我很想听听！

Is it possible to invalidate all sessions or tokens that are related to a specific user? If there is another way to dynamically update the roles of a user without logging them out, I would love to hear it!

为了清楚起见，我并不想使当前登录的用户会话/令牌无效.

Just to make it clear, I'm not trying to invalidate the currently logged in user's session/token.

提前谢谢！

推荐答案

Symfony将序列化的令牌对象存储在会话中的_security_match_firewall_name键下.您可以对其进行反序列化，过滤角色，然后再次保存.要读取/保存会话值，可以使用PdoSessionStorage.您可能需要创建一个额外的表来跟踪用户会话.

Symfony stores serialized token object under _security_match_firewall_name key in session. You can unserialize it, filter role and then save it again. For reading/saving session values you can use PdoSessionStorage. You may have to create an extra table for tracking users session.

这篇关于FOSUserBundle/Symfony2:强制注销给定用户的用户(不是当前登录的用户)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！