问题描述

在我的应用程序中，我可以更改后端的用户权限和角色.

In my application I can change user permissions and roles in backend.

当用户登录并且我删除了该用户的角色时，该用户仍然可以访问他实际上不再被允许访问的内容，因为他缺少该角色.仅当用户使用注销/登录重新认证自己时，更改才会生效.

When a user is logged in and I remove a role of the user, the user can still access content which he actually is not permitted to access anymore, because he is missing the role. The changes take effect only when the user reauthenticates himself with logout/login.

所以我的问题是，我可以访问已登录用户(不是我)的会话吗?我知道我可以访问自己的会话并销毁它，这迫使我再次登录.但是我想获取已登录用户的会话.这可能吗?我找不到有关此的任何资源.

So my question is, can I access the session of a logged in user (not me)? I know I can access my own session and destroy it which forces me to login again. But I want to get the session of any user who is logged in. Is this possible? I could not find any resources about that.

我将 PdoSessionStorage 与symfony2一起使用.1和fosuserbundle.

I use PdoSessionStorage with symfony2.1 and fosuserbundle.

推荐答案

使您的用户类实现Symfony\Component\Security\Core\User\EquatableInterface.

如果从isEqualTo()方法返回false，则将重新认证用户.使用该方法仅比较那些更改后应强制重新身份验证的属性(在您的情况下为角色).

If you return false from the isEqualTo() method, the user will be reauthenticated. Use that method to compare only those properties that when changed should force reauthentication — roles in your case.

这篇关于更改用户权限后强制重新认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！