On 2/2/11 7:55 AM, Lukas Kahwe Smith wrote:
On 19.01.2011, at 23:55, Jeremy Mikola wrote:
Johannes clued me in to ContextListener::refreshUser(), which appears to be
what Lukas was referring to. This only functions if the token is not
immutable, which it would have been fine had I not been using
SwitchUserListener (the impersonation session it creates uses an immutable
token).
So if ContextListener::refreshUser() is functioning, I think Doctrine
developers can do without re-authenticating after an edited, provided that
their UserProvider's loadUserByAccount() method does its query based on ID
instead of username. This should be a trivial change for FOS UserBundle at
least.
In general imho the loadUserBy*() methods should get a parameter that makes it clear what
the reason for the method call was (user triggered login, remember me, returning user
with an active session etc). Right now we have some sort of "hint" for
revisiting users since they are handled by the loadUserByAccount() method. But there is
no way to differentiate remember me from a user triggered login.
No, the loadUserBy*() method should have no knowledge of why they are
called. Their goal is just to load the User object, that's all.
Fabien
regards,
Lukas Kahwe Smith
[email protected]
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
