0

I have started a project with symfony 4.3. The code for registering and authenticating users was generated using the console, with bin/console make:auth and bin/console make:registration-form, and I didn't really modify it beyond that.

Now, I have some page which are restricted to certain user roles. This is configured in config/packages/security.yaml, wih for exemple

security:
    access_control:
    - { path: ^/admin, roles: ROLE_ADMIN }

I also have a form that allows me to modify a user's role. Now this is the crux of the issue : if I modify the role of a user which is currently connected, the pages that he can access do not change until he logs out and logs in again. Since the database is properly updated, this means the his former role is still stored somewhere. I need to know where, so that I can update it without forcing him to log out and in again.

I don't think that it is in a plain file, as find . -mmin 5 find nothing after I create a new user and log in as them. I've seen var/cache//session mentioned, but I don't have this directory. I see nothing in the database either, nor any cookies with the information on my browser.

So, where does Symfony store information on logged in users ?

https://stackoverflow.com/a/57676864/11410707

This one solves (part of) my issue, but only if I modify the current user, not if I modify another. I'm also still interested in where tokens are stored.

The question has been locked even though the two links don't provide the answer, so here it is for the record :

The info on logged in users is stored in the PHP sessions of each user. In turn, the PHP sessions are stored as plain file in the directory /var/opt/remi/php73/lib/php/session/ (at least on my CentOS install).

Each session can only be accessed by the corresponding user, identified by the cookie PHPSESSID. Thus, it's not possible to refresh a remote user's session directly.

user153991
  • 135
  • 6
  • User are stocked in sessions: You could find how to refresh it [here](https://symfony.com/doc/current/security/user_provider.html#understanding-how-users-are-refreshed-from-the-session) – GrenierJ Jan 10 '20 at 14:27
  • Everywhere that I looked, only the current user user's session was accessed, is it possible at all to access the session of another user ? – user153991 Jan 10 '20 at 14:37
  • You can't access session of other user. I think you should update the `refreshUser` method of the `UserProvider` to refresh roles when user come and session is reloaded. – GrenierJ Jan 10 '20 at 14:54
  • Also this one: https://stackoverflow.com/questions/9220975/change-the-role-of-a-distant-user-without-having-to-relog – yivi Jan 10 '20 at 14:56
  • @yivi The first question explains how to refresh the current user, while I want to refresh another arbitrary user. I don't think that I can adapt the method explained it I can't access that other user's session. The second question is what I want to do, but the method described didn't seem to work for me. Since there wasn't much explanation I couldn't troubleshoot, hence my current question. – user153991 Jan 10 '20 at 15:08
  • @GrenierJ I'm going to look into that, thank you. – user153991 Jan 10 '20 at 15:09

1 Answers1

0

Generate a new token and refresh

$user->addRole('ROLE_****');

$token = new UsernamePasswordToken($user,null,'main',$user->getRoles());

$this->container->get('security.context')->setToken($token);
$userManager = $this->container->get('fos_user.user_manager');
$userManager->refreshUser($user);
Hamza Betouar
  • 1
  • 1