Level 80
@mtownsend I’m not sure I understand the issue? Laravel re-requests users’ details on each page load, so your middleware would be able to pick up the value of the is_banned column on the next page load.
Jun 20, 2016
3
Level 1
How can I allow an administrator to modify another user's active session?
I'm working on an application that is somewhat unique from the norm. It depends on a REST API to display categories/products/register users & login/checkout/store order information, etc.
The login system is unique because it logs the user into the REST application, and "logs" the user in to the laravel side via a session. The Laravel session lets the user access parts of the site that require a user to be logged in to see. Pretty simple so far, just a little different. My question is: Is there a way I can allow an administrator to modify another user's session data?
I'll give an example:
Joe is a user. He's logged in and browsing the site currently with his Laravel set session (lasts for 10 hours). Bob is an administrator. Bob logs in and sees that Joe has been a problem user, so Bob decides to ban Joe. Bob goes to the dashboard, looks up Joe, and clicks a button to ban Joe and submits the form. The form sends up a POST request to the REST API that handles Joe's information in the database and sets his status to '1' in the is_banned column. Joe is now banned according to the REST API. Any future attempts to log in will be blocked. Here is the issue: How do I use Laravel to modify Joe's active session and either update it to reflect his ban, or force him to log out and terminate that session?
Obviously a middleware would work if it is checked on every request and is looking for a key in the session's associative array that is something like 'is_banned', and if it finds that in the session it terminates the session. But how can Bob even get to Joe's active session to change it? Is this something that is possible? My first thought was to switch Laravel sessions to use the database, but the payload seems to be hashed or encrypted, and every time I attempt to set the user_id column it resets to NULL on every new request. I would need some type of user identifier to target that user's session, and then a way to decrypt the payload and update it to reflect is_banned, OR terminate that session somehow?
Level 56
How do I use Laravel to modify Joe's active session and either update it to reflect his ban, or force him to log out and terminate that session?
isn't the user info pulled from the database? if (auth()->user()->is_banned) abort(500);
Level 1
There is not an active connection to the REST API's database on every request. That's why it is different. The user logs in (makes a request to the REST API with DB, it verifies the login and returns a JSON response to Laravel, Laravel interprets the response and if successful, sets a session), then the user goes on their way through the site until it is time for them to make another interaction with the REST API's database (such as view a product or checkout). The DB is not being checked on every request, and I'm trying to keep it from being that way intentionally, if at all possible.
Please or to participate in this conversation.