Bug #7679
closed
Disabled users are still able to use Mentat
Added by Rajmund Hruška about 1 year ago.
Updated 5 months ago.
Category:
Development - GUI
Description
Tested on my local machine. It seems that if the user stays logged in after the account was disabled, they can still look around. Only when they log out, they can't log back in.
I haven't tested the use of API, it might be worth to check that.
- Description updated (diff)
- Priority changed from High to Normal
According to the documentation it is possible to use "alternative id" as a token. If we used the user's state as a part of this id then disabling/enabling the user would change the id and thus invalidate the session. After testing this approach, it seems like this is only intended as a part of "remember me" process, so only when the browser is closed and the reopened. It doesn't seem to be working for active sessions, as the user is not reloaded on every request.
The other way I can think of, is checking if the user is enabled a the start of every dispatch_request
. We have like 27 of those so that doesn't seem to be an elegant way of solving this issue.
- Status changed from New to In Progress
- Assignee set to Rajmund Hruška
- Target version changed from Backlog to 2.13.1
- Status changed from In Progress to Resolved
- Status changed from Resolved to In Review
- Status changed from In Review to Closed
Also available in: Atom
PDF