When are user roles refreshed and how to force it?
Solution 1
So after a couple of days trying to find a viable solution and contributing to the Symfony2 user mailing list, I finally found it. The following has been derived from the discussion at https://groups.google.com/d/topic/symfony2/NDBb4JN3mNc/discussion
It turns out that there's an interface Symfony\Component\Security\Core\User\EquatableInterface
that is not intended for comparing object identity but precisely to
test if two objects are equal in security and re-authentication context
Implement that interface in your user class (the one already implementing UserInterface
). Implement the only required method isEqualTo(UserInterface $user)
so that it returns false if the current user's roles differ from those of the passed user.
Note: The User object is serialized in the session. Because of the way serialization works, make sure to store the roles in a field of your user object, and do not retrieve them directly in the getRoles()
Method, otherwise all of that won't work!
Here's an example of how the specific methods might look like:
protected $roles = null;
public function getRoles() {
if ($this->roles == null) {
$this->roles = ...; // Retrieve the fresh list of roles
// from wherever they are stored here
}
return $this->roles;
}
public function isEqualTo(UserInterface $user) {
if ($user instanceof YourUserClass) {
// Check that the roles are the same, in any order
$isEqual = count($this->getRoles()) == count($user->getRoles());
if ($isEqual) {
foreach($this->getRoles() as $role) {
$isEqual = $isEqual && in_array($role, $user->getRoles());
}
}
return $isEqual;
}
return false;
}
Also, note that when the roles actually change and you reload the page, the profiler toolbar might tell you that your user is not authenticated. Plus, looking into the profiler, you might find that the roles didn't actually get refreshed.
I found out that the role refreshing actually does work. It's just that if no authorization constraints are hit (no @Secure
annotations, no required roles in the firewall etc.), the refreshing is not actually done and the user is kept in the "unauthenticated" state.
As soon as you hit a page that performs any kind of authorization check, the user roles are being refreshed and the profiler toolbar displays the user with a green dot and "Authenticated: yes" again.
That's an acceptable behavior for me - hope it was helpful :)
Solution 2
In your security.yml (or the alternatives):
security:
always_authenticate_before_granting: true
Easiest game of my life.
Solution 3
From a Controller, after adding roles to a user, and saving to the database, simply call:
// Force refresh of user roles
$token = $this->get('security.context')->getToken()->setAuthenticated(false);
Solution 4
Take a look here, set always_authenticate_before_granting
to true
at security.yml
.
Solution 5
I achieve this behaviour by implementing my own EntityUserProvider and overriding loadByUsername($username) method :
/**
* Load an user from its username
* @param string $username
* @return UserInterface
*/
public function loadUserByUsername($username)
{
$user = $this->repository->findOneByEmailJoinedToCustomerAccount($username);
if (null === $user)
{
throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username));
}
//Custom function to definassigned roles to an user
$roles = $this->loadRolesForUser($user);
//Set roles to the user entity
$user->setRoles($roles);
return $user;
}
The trick is to call setRoles
each time you call loadByUsername
... Hope it helps
netmikey
Updated on July 17, 2022Comments
-
netmikey almost 2 years
First off, I'm not using FOSUserBundle and I can't because I'm porting a legacy system which has its own Model layer (no Doctrine/Mongo/whatsoever here) and other very custom behavior.
I'm trying to connect my legacy role system with Symfony's so I can use native symfony security in controllers and views.
My first attempt was to load and return all of the user's roles in the
getRoles()
method from theSymfony\Component\Security\Core\User\UserInterface
. At first, it looked like that worked. But after taking a deeper look, I noticed that these roles are only refreshed when the user logs in. This means that if I grant or revoke roles from a user, he will have to log out and back in for the changes to take effect. However, if I revoke security roles from a user, I want that to be applied immediately, so that behavior isn't acceptable to me.What I want Symfony to do is to reload a user's roles on every request to make sure they're up-to-date. I have implemented a custom user provider and its
refreshUser(UserInterface $user)
method is being called on every request but the roles somehow aren't being refreshed.The code to load / refresh the user in my UserProvider looks something like this:
public function loadUserByUsername($username) { $user = UserModel::loadByUsername($username); // Loads a fresh user object including roles! if (!$user) { throw new UsernameNotFoundException("User not found"); } return $user; }
(
refreshUser
looks similar)Is there a way to make Symfony refresh user roles on each request?
-
netmikey over 11 yearsThis solution seems bound to Doctrine. I'm not using Doctrine though. Also, regardless of Doctrine, I don't see how setting the property on the user entity can affect what's in Symfony's security context?
-
AlterPHP over 11 yearsUser object is set in the token and retrieved in the persistence layer used for the token (session/cookies/bdd). If you don't specifically refreshRoles each time you refresh user, security context works with token roles (persisted with the PHP session). Let's see DaoAuthenticationProvider::retirieveUser method. Any way you use to manage your users, you have to tweak UserProvider::loadByUsername method to refresh roles on each request..
-
netmikey over 11 yearsYes, I see what you mean: the User object is stored in the token, which is (in my case) stored in the user's session. But isn't that exactly what the
refreshUser(UserInterface $user)
method is for? My UserProvider loads and returns a fresh user from the database (including roles!), but they still don't get refreshed in the token. -
AlterPHP over 11 yearsIt works for me (explicitely use setRoles in refreshUser or loadUserByUsername)... Please post your refreshUser method, it may help to find out.
-
AlterPHP over 11 yearsUnless
roles
is an array field (DB column) of your User object, it's not refreshed in your loadUserByUsername method... -
netmikey over 11 yearsFor the time being,
getRoles()
even goes out and fetches roles from the database on each call to it! The thing is: even if I put an exception in it (to quickly see if it's being called), it doesn't fail, so it looks like it isn't being called at all after the session has been initially opened. -
netmikey over 11 years
-
Laurent W. almost 11 years+1 for the "make sure to store the roles in a field of your user object" tip, this saved my life
-
ken over 10 yearsdont forget to implement \Serializable interface and include id, salt and isActive. Since you also need to check if roles has changes, add it too to serializable data.
-
juuga over 10 yearsWonderful! I had already FOSUserBundle implemented, which provided me with
FOS\UserBundle\Model\User
that my user entity extended. I just implemented theEquatableInterface
to that and it worked like a charm (since FOS's User already did the serialization). -
Derick F about 10 yearswhat way would you recommend to "Retrieve the fresh list of roles" if you're using doctrine. I was under the impression that making db calls in an entity was considered a bit taboo?
-
netmikey almost 10 yearsGreat point! I'd go so far as to say: Serializing a Doctrine Entity to the session in the first place seems to be a massive taboo to me. Unfortunately, I don't have a solution at hand for this right now - but you might want to have a look at the other responses in this question! :)
-
delmalki almost 9 yearsI dont understand the point of comparing if roles are equal, I just wanna refresh symfony2 magical refreshing of the roles
-
vincecore over 8 yearsWhen you implement
EquatableInterface
, symfony skips all the other checks for checking if a user has changed (see github.com/symfony/security-core/blob/master/Authentication/…). So i guess you have to do all those thing yourself in theisEqualTo
function? -
inanimatt over 8 yearsWorks great for me, but if you want to avoid a deprecation notice in newer versions of Symfony, use
security.token_storage
instead ofsecurity.context
:) -
Karl Adler about 8 years"make sure to store the roles in a field of your user object" where and how to do that?
-
fracz over 7 yearsyou can write the main part in one line
return count($this->getRoles()) == count($user->getRoles()) && count(array_diff($this->getRoles(), $user->getRoles())) == 0;
-
gam6itko over 7 yearsDon't forget to rebuild
bootstrap.php.cache
. symfony3.2 -
gastonnina almost 7 yearsOn a service you can add it on event 'kernel.controller' to force other users already logged to refresh the permission roles