On 19.01.2011, at 23:55, Jeremy Mikola wrote: > Johannes clued me in to ContextListener::refreshUser(), which appears to be > what Lukas was referring to. This only functions if the token is not > immutable, which it would have been fine had I not been using > SwitchUserListener (the impersonation session it creates uses an immutable > token). > > So if ContextListener::refreshUser() is functioning, I think Doctrine > developers can do without re-authenticating after an edited, provided that > their UserProvider's loadUserByAccount() method does its query based on ID > instead of username. This should be a trivial change for FOS UserBundle at > least.
In general imho the loadUserBy*() methods should get a parameter that makes it clear what the reason for the method call was (user triggered login, remember me, returning user with an active session etc). Right now we have some sort of "hint" for revisiting users since they are handled by the loadUserByAccount() method. But there is no way to differentiate remember me from a user triggered login. regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
