PassportJS-是否可以将req.user更改为另一个用户? [英] PassportJS - Is it possible to change req.user for another user?
问题描述
在我的应用程序中,我实现了更改用户权限,等级等的功能.它非常有用,如果我更新自己的权限,则可以立即看到更改,因为可以通过 req.login().问题是,当我更新另一个用户的权限时,它在数据库中的更新就很好了,但是由于 req.user 仍然认为他们没有权限,因此用户将不得不重新登录以查看其权限的更改..如果他们当然没有登录,这很好,但是如果他们已经登录,我希望更改尽快反映给他们.
In my application, I have implemented the ability to change a users permissions, rank, etc. It works great, if I update my own permissions, I can see the changes instantly since I can update the req.user object via req.login(). Problem is, when I update another users permissions, it updates in the database just fine, but the user will have to relog to see their permissions change since req.user still thinks they don't have the permission. This is fine if they're not logged in of course but if they are, I'd like the change to be reflected immediately for them if possible.
所以我想知道是否有一种方法可以更新另一个用户 req.user 对象,以便他们可以立即查看其权限更改而不必注销并重新登录?
So I'm wondering if there's a way to update another users req.user object so they can see their permissions change right away without having to log out and back in?
或者是一种在返回之前注销并登录该用户的方法?
Or possibly a way to logout and login that user before returning?
推荐答案
由于权限在您自己的数据库中,因此可以确定,但是如何执行取决于您的应用程序.
Since the permissions are in your own database then sure you can, but how to do it depends on your app.
鉴于您正在使用会话,因此使用您在 passport.deserializeUser 中提供的功能,将为每个HTTP请求分别加载存储在 req.user 中的对象.通常,您会将用户ID存储在 passport.serializeUser 中的会话中,然后从数据库中将用户ID存储在 deserializeUser 中.因此,无论何时在后端处理请求,您通常都会在 req.user 中获得最新信息,包括权限.自然,您的前端还需要以某种方式获取新权限并自行调整(例如,如果向用户添加管理员权限,则可能希望他们在用户界面中看到管理员选项).
Given you are using sessions, object stored in req.user is loaded separately for every HTTP request by using the function you provided with passport.deserializeUser. Often you would store the user ID to the session in passport.serializeUser, and then retrieve the user from the database with the ID in deserializeUser. Thus, whenever a request is being handled in the backend you would generally have the latest information in req.user, including the permissions. Naturally your frontend also needs to somehow get the new permissions and adjust itself (eg. if you add admin rights to user, you probably would want them to see the admin options in the UI).
您当然可以只将整个用户对象传递给会话存储,然后就每个请求跳过一个数据库调用,即.使用这些:
You could of course just pass the whole user object to the session store and skip one database call per request, ie. using these:
passport.serializeUser(function(user, cb) { cb(null, user); });
passport.deserializeUser(function(user, cb) { cb(null, user); });
用于会话处理.如果执行此操作,则数据库更改不会反映在 req.user 对象上.如果用户更新了自己的信息,则可以只调用 req.logIn(...),但是您不能呼叫其他用户.您可以解决此问题-例如.通过websocket通知有问题的用户,并使他们的浏览器调用使用最新用户对象调用 req.logIn 的路由,或者深入会话存储并在那里直接处理数据.
for session handling. If you do this then the database changes are not reflected upon the req.user object. If the user updated their own information you could just call req.logIn(...), but that you cannot call for other users. You can work around this though - eg. notify the user in question over websocket and make their browser call a route that calls req.logIn with the latest user object, or dig into the session store and manipulate the data there directly.
或者,由于可以选择强制注销,因此您可以按照enRaisers的回答,从会话存储中找到用户会话,然后将其删除,所有这些都可以有效地从后端注销用户.您可以通过API进行会话,或者如果您使用数据库(例如 connect-mongo 或 connect-redis )进行会话存储,也可以打开另一个连接到同一个数据库,并使用常规的搜索和销毁方法.同样,您仍然需要以某种方式自己处理前端中的注销.
Or, since forcing a logout is an option you could follow enRaisers answer and locate the users sessions from session store and delete them all which is effectively logging out the user from the backend. You can go through the sessions via the API, or if you use a database (eg. connect-mongo or connect-redis) for session store you can also open another connection to the same database and use normal search and destroy methods. Again you still need handle the logout in the frontend by yourself somehow.
这篇关于PassportJS-是否可以将req.user更改为另一个用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
