Symfony Security access control doesn't react to user changes in DB

Question

My user provider is set to User entity.

The entity has getRoles() model and it works properly.

My problem is that:

There are two user roles in the website (Admin and Regular)
Regular user can't access Object creation (access_control is set that only Admins can do this)
User logs in while he is still has 'Regular' role
I go and edit this 'Regular' user in DB and set it to 'Admin'
User is still logged-in, the access_control still treats him as 'Regular'
$this->getUser()->getRoles() has the 'Admin' role.
User still can't access the Object creation route, because access_control assumes he is still 'Regular'
He has to re-login, and only then the access_control lets him access the Object creation route.

How do I do so that that database changes apply to the session, without having to log out?

score 1 · Answer 1 · answered Mar 01 '19 at 09:11

1

I think this question is similar to yours. The accepted answer was:

$user = $this->getUser();
$user->addRole('ROLE_ADMIN');
$this->get('fos_user.user_manager')->updateUser($user);
$token = new UsernamePasswordToken($user, null, 'main', $user->getRoles());
$this->get('security.context')->setToken($token);

answered Mar 01 '19 at 09:11

vyctorya

11
3

Hey, yeah, it seems that i need to persist the change through code, not through database. By the way, I've read that I can incorporate complex access controls with expressions, so I'll read more about it. – tomJO Mar 01 '19 at 09:33

score 0 · Accepted Answer · answered Mar 05 '19 at 10:58

0

I went with Symfony's voters: https://symfony.com/doc/current/security/voters.html

Could not be able to achieve it without Security Roles without logging-out.

answered Mar 05 '19 at 10:58

tomJO

371
3
12

Symfony Security access control doesn't react to user changes in DB

2 Answers2