FOSUserBundle/Symfony2:强制注销给定用户的用户(不是当前登录的用户) [英] FOSUserBundle/Symfony2: Force logout of a user given a user (not the currently logged in user)
问题描述
每当我编辑用户角色时,该用户都需要注销并重新登录以查看更改.升级用户没有问题,因为他们只有重新登录才能看到额外的权限.但是,当降级发生时,用户仍将保留其现有角色,这会带来安全风险.想象一下撤销一个无赖雇员的管理员用户,并且仍然让他们能够执行任何操作(例如破坏系统),直到他们注销!
Whenever I edit a user's role, the user needs to logout and log back in to see the changes. There's no problem when promoting a user as they just won't see the extra permissions until signing in again. However, when a demotion was to occur, a user will still keep its existing role which impose security risks. Imagine revoking admin user on a rogue employee, and still have them be able to do anything (eg. sabotaging the system) until they log out!
是否可以使与特定用户相关的所有会话或令牌无效?如果有另一种方法可以动态更新用户角色而无需注销他们,我很想听听!
Is it possible to invalidate all sessions or tokens that are related to a specific user? If there is another way to dynamically update the roles of a user without logging them out, I would love to hear it!
为了清楚起见,我并不想使当前登录的用户会话/令牌无效.
Just to make it clear, I'm not trying to invalidate the currently logged in user's session/token.
提前谢谢!
推荐答案
Symfony将序列化的令牌对象存储在会话中的_security_match_firewall_name
键下.您可以对其进行反序列化,过滤角色,然后再次保存.要读取/保存会话值,可以使用PdoSessionStorage
.您可能需要创建一个额外的表来跟踪用户会话.
Symfony stores serialized token object under _security_match_firewall_name
key in session. You can unserialize it, filter role and then save it again. For reading/saving session values you can use PdoSessionStorage
. You may have to create an extra table for tracking users session.
这篇关于FOSUserBundle/Symfony2:强制注销给定用户的用户(不是当前登录的用户)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!