10000 What is the recommended way of reloading roles after login? · Issue #14665 · symfony/symfony-docs · GitHub
[go: up one dir, main page]
Skip to content

What is the recommended way of reloading roles after login? #14665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ThePeterMick opened this issue Dec 5, 2020 · 1 comment
Closed

What is the recommended way of reloading roles after login? #14665

ThePeterMick opened this issue Dec 5, 2020 · 1 comment
Labels
Security

Comments

@ThePeterMick
Copy link
Contributor
ThePeterMick commented Dec 5, 2020
edited
Loading

It'd be good to see what is the recommended way to reload user roles after login, this is very likely a common scenario that symfony developers would be looking for.

Scenario:

  1. John logs in with ROLE_USER
  2. Jane, the "Super Admin" - adds ROLE_ADMIN to Joe's account
  3. John refreshes the page, and sees that he is an admin now (without a logout).

Scenario 2:

  1. Jane logs in
  2. Jane upgrades her account, ROLE_SUBSCRIBER
  3. Jane has new roles on her account without a logout

Potential solution for scenario 1: have a custom isEqualTo on the user entity to not check getRoles() (so that it doesn't cause a logout due to the now default behaviour) AND set an onCoreController listener that re-authenticates with user that has the updated roles (triggered by comparing a property such as updatedAt or similar):

$token = $loginFormAuthenticator->createAuthenticatedToken($user, $providerKey);
$guardAuthenticatorHandler->authenticateWithToken($token, $request, $providerKey);

Potential solution for scenario 2: Post-upgrade of the account, in the same action, again re-authenticate using guard with the code as above (I've tested it and the new role will appear)

Page: https://github.com/symfony/symfony-docs/blob/5.x/security.rst

A real world example: Spotify is apparently made in Symfony, and after upgrading to Premium, they do not ask you to log back in.

Thanks,
Peter
@ThePeterMick ThePeterMick mentioned this issue Dec 6, 2020
Closed
@javiereguiluz javiereguiluz mentioned this issue Jan 8, 2021
Closed
@javiereguiluz
Copy link
Member

@ptrm04 thanks for reporting this. I agree with you and this doesn't look very UX-friendly. So, I've opened symfony/symfony#39763 to try to fix this in Symfony. That's why I'm closing this doc issue for now, hoping that this will be fixed without the need of any hack or change in our applications. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javiereguiluz @xabbuh @ThePeterMick
0