Bug #7679
closedDisabled users are still able to use Mentat
0%
Description
Tested on my local machine. It seems that if the user stays logged in after the account was disabled, they can still look around. Only when they log out, they can't log back in.
I haven't tested the use of API, it might be worth to check that.
Updated by Rajmund Hruška 6 months ago
According to the documentation it is possible to use "alternative id" as a token. If we used the user's state as a part of this id then disabling/enabling the user would change the id and thus invalidate the session. After testing this approach, it seems like this is only intended as a part of "remember me" process, so only when the browser is closed and the reopened. It doesn't seem to be working for active sessions, as the user is not reloaded on every request.
The other way I can think of, is checking if the user is enabled a the start of every dispatch_request
. We have like 27 of those so that doesn't seem to be an elegant way of solving this issue.
Updated by Rajmund Hruška 5 months ago
- Status changed from New to In Progress
- Assignee set to Rajmund Hruška
- Target version changed from Backlog to 2.13.1
Updated by Rajmund Hruška 5 months ago
- Status changed from In Progress to Resolved
I managed to check if the user is disabled before request.
Updated by Rajmund Hruška 5 months ago
- Status changed from Resolved to In Review