AdvancedUserInterface implement has isEnabled method for the User entity. But user properties storing in session. Disabling a user wont work until re-login.
So i need the clear specific user session by user id. Or, i need the check database for refresh serialized user data.
What is the correct way and how can i do?
I had the same problem with FOSUserBundle, where I would disable a user but if they were logged in they could continue under the existing session. The disable only took effect when they tried to log in again.
To get around it I found a different way of doing this using a Security Voter. I created a custom voter that runs each time you call the "->isGranted" checker. I check for isGranted on every page for various ROLE levels. This voter then checks if the user isEnabled, if they aren't the voter votes to fail and disallows the user, returning them to the login screen.
My Custom Voter:
namespace AppBundle\Security;
use AppBundle\Entity\User;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
/**
* Purpose: A Voter that checks if the user is still enabled. Default FOSUserBundle behavior allows disabled users to
* continue under their existing session. This voter is designed to prevent that
* Created by PhpStorm.
* User: Matt Emerson
* Date: 2/17/2018
* Time: 1:24 PM
*/
class userVoter extends Voter
{
protected function supports($attribute, $subject)
{
//this Voter is always available
return true;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) {
// the user must be logged in; if not, deny access
return false;
} elseif ($user->isEnabled() === false) {
// the user is not enabled; deny access
return false;
}
//otherwise return true
return true;
}
}
