Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update userdata in $_SESSION #935

Open
kkrell2016 opened this issue Nov 17, 2022 · 10 comments
Open

Update userdata in $_SESSION #935

kkrell2016 opened this issue Nov 17, 2022 · 10 comments
Assignees

Comments

@kkrell2016
Copy link

It would be great if the user data would be updated every time you call it. At the moment you have to log out and log in again when you change attributes of a user in the database. Maybe with a flag in the config to control the behavior.

@mevdschee mevdschee self-assigned this Nov 17, 2022
@apps-caraga
Copy link
Contributor

How would this work? Like, if an admin changes your username or access level, does it mean it automatically gets effected on the client-side or current user session?

@mevdschee
Copy link
Owner

How would this work?

It can affect the server side permission handlers when a role changes.

@apps-caraga
Copy link
Contributor

apps-caraga commented Nov 18, 2022

2 possible scenarios.

  1. User makes changes to his/her own profile
  2. Admin does the changes to another user.

For # 1, we can require the user to enter the password when changing any critical profile information. This essentially does the re-logout/login routine.

For # 2, this could be limited to changing or setting the users' access level.

@kkrell2016
Copy link
Author

It is not only about the access rights. In my case, the administrator also changes some other fields. Of course, the changes are updated only on server side. But in general everything should also be controlled on server side. "Never trust the client" :)
Currently I put my code for the update in the before handler.

@apps-caraga
Copy link
Contributor

apps-caraga commented Feb 22, 2023

Would it be possible or is there any negative effect if the 'api.php/me' endpoint returns data selected from the users table (based current user id in session variable ) instead of the original session data? Currently, it returns the existing session data, so if the user edits an attribute, e.g., firstname or lastname, calling the 'api.php/me' returns only the orig user data and not the updated one

@apps-caraga
Copy link
Contributor

This can be useful when used with dbAuth.loginAfterRegistration . For example, a new user is logged-in after registration but remains in a view-only page until an admin updates the user's permission to add/edit/delete data. This way, the app can check the /me endpoint and gets an updated user permission (the session data should also be updated by this time).

Anyway, I realize it's going to hit the database everytime the endpoint is accessed so perhaps that can be limited by adding a config setting so that the db is queried only after x seconds has passed. This would also need to add a updatedAt when starting the session.

@scriptPilot
Copy link

Would be useful for me too!

@mevdschee
Copy link
Owner

Would it be possible or is there any negative effect if the 'api.php/me' endpoint returns data selected from the users table (based current user id in session variable ) instead of the original session data?

Good idea. I don't see how this change would have a negative effect.

@scriptPilot
Copy link

What about to update the $_SESSION variable on every call?
As it is the trigger if the user has access to the DB or not it would be straightforward to keep it updated.

If the user is updated in the meantime (less rights, deactivated, ...) it would be very helpful to have this information available with the next call to the DB.

@scriptPilot
Copy link

As other users propose it could be a configuration setting to update the $_SESSION on each call at the beginning :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants