-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update userdata in $_SESSION #935
Comments
How would this work? Like, if an admin changes your username or access level, does it mean it automatically gets effected on the client-side or current user session? |
It can affect the server side permission handlers when a role changes. |
2 possible scenarios.
For # 1, we can require the user to enter the password when changing any critical profile information. This essentially does the re-logout/login routine. For # 2, this could be limited to changing or setting the users' access level. |
It is not only about the access rights. In my case, the administrator also changes some other fields. Of course, the changes are updated only on server side. But in general everything should also be controlled on server side. "Never trust the client" :) |
Would it be possible or is there any negative effect if the ' |
This can be useful when used with dbAuth.loginAfterRegistration . For example, a new user is logged-in after registration but remains in a view-only page until an admin updates the user's permission to add/edit/delete data. This way, the app can check the /me endpoint and gets an updated user permission (the session data should also be updated by this time). Anyway, I realize it's going to hit the database everytime the endpoint is accessed so perhaps that can be limited by adding a config setting so that the db is queried only after x seconds has passed. This would also need to add a updatedAt when starting the session. |
Would be useful for me too! |
Good idea. I don't see how this change would have a negative effect. |
What about to update the If the user is updated in the meantime (less rights, deactivated, ...) it would be very helpful to have this information available with the next call to the DB. |
As other users propose it could be a configuration setting to update the |
It would be great if the user data would be updated every time you call it. At the moment you have to log out and log in again when you change attributes of a user in the database. Maybe with a flag in the config to control the behavior.
The text was updated successfully, but these errors were encountered: