I am building an admin panel.
Where i give the option to blacklist a user.
If the user is logged in at the time of blacklisting, how can i destroy his session.
his session has the following keys- user_id, username, is_login.
I want to set the is_login to false.
I am working with php
you can do that by :
add field at users table blocked
add middleware that checks for blocked value of user
if true fire Auth::logout();
for more info kindly check the following article 3 Ways to Delete User in Laravel: Block, Hide or Hard-Delete?
Step 1: Create banned_at column at users table.
Step 2: Create middleware for this For example: CheckBanned
In CheckBanned.php Middleware
public function handle ( $request, Closure $next )
{
if ( auth ()->check () && auth ()->user ()->banned_at )
{
auth ()->logout ();
$message = __ ( 'auth.banned_error' );
return redirect ()->route ( 'login' )->with ( 'error',$message );
}
return $next( $request );
}
Step 3: Add middleware to app/Http/Kernel.php
protected $middlewareGroups = [
'web' => [
....
....
\App\Http\Middleware\CheckBanned::class,
....
],
....
....
],
Related
i have an application with one level database for login the users and N databases for one or more users.
i want change the db after a user login.
the db params are stored in the table of the user, so after login i have this:
Config::set("database.connections.mysql", [
"host" => "localhost",
"driver" => "mysql",
'default' => 'mysql',
"database" => $dati->db,
"username" => "root",
"password" => ""
]);
DB::reconnect('mysql');
where $dati->db is the database name for the logged user.
it work only in the current controller but all the other model and controller don't have the new db and returns error for missing tables.
how can i propagate the new settings to all model?
thanks in advance.
You should put it into a middleware.
For example:
<?php
class UserDatabaseMiddleware {
public function handle($request, \Closure $next){
$databaseName = $request->user()->db;
config(['database.connections.mysql.database' => $databaseName]);
return $next($request);
}
}
Then you should define it in App\Http\Kernel.php
<?php
protected $routeMiddleware = [
'dbselect' => UserDatabaseMiddleware::class
]
And finally you can add it to your route file. For example:
<?php
Route::group([
'middleware' => 'dbselect',
], function(){
Route::get('/', [MyController::class, 'myMethod'])->name('index');
})
Now the config should be changed with every http request if user is logged in.
Important:
As it was mentioned in the comments - having multiple databases per user is a bad approach. You should consider it.
There is another way to do this - you can have user_id for each record in table and then create global scope to select only records of logged in user.
I have custom user profile field Faculty.
I want to check it in the user login page, if the user is not assigned as Faculty returned to login page.
How can I do this?
You can use Moodle Events API to trigger an event while logging
The code will be something as the following
Inside your plugin directory create plugin/classes/observer.php file
Let's say your plugin is a clean theme, so the content of that file will be
class theme_clean_observer
{
public static function update_loggedin(\core\event\user_loggedin $loggedin){
//get user data by $loggedin
// check faculty value
// redirect to somewhere
}
}
And create plugin/db/events.php:
$observers = array(
array(
'eventname' => '\core\event\user_loggedin',
'callback' => '\theme_clean_observer::update_loggedin',
)
);
Simple, when the user logs in run a code that checks if the user is a faculty user or not. You can use the link function to direct them to the specific page you want.
for example:
If($UserType == "Faculty"){
link ( "Home.php" )
}else{
link ( "Login.php" )
}
How can I tell yii2 to logged out specific user who has login to system?
Let say, there is 2 user is logged in on system, userA and userB.
How can I specified logged out userB?
What I know is userB has to trigger this command to logout.
Yii::$app->user->logout();
return $this->goHome();
But maybe we can use some command like Yii::$app->user->logout('userB');?
Or is it has some other way?
Well, the problem is about how to kill all sessions of the user.
Flag user to force relogin
You can add an additional column force_relogin to User identity class and set it to true when you need to logout someone:
$user = User::findByLogin('userB');
$user->force_logout = 1;
$user->save();
Then add the event handler beforeLogin() on user component like so:
'user' => [
'class' => 'yii\web\User',
'on beforeLogin' => function ($event) {
if ($event->identity->force_logout && $event->cookieBased) {
$event->isValid = false;
}
},
'on afterLogin' => function ($event) {
if ($event->identity->force_logout) {
$event->identity->force_logout = false;
$event->identity->save();
}
}
]
Check, whether $cookieBased and $identity->force_logout are so on...
But that's a bad idea, because the user may have more than one session (logged in in different browsers)
Store list user's sessions in DB
Create table user_sessions with user_id and session_id columns and save each session, you open for that user in the DB. That you can find all sessions of the user and drop them one by one. Something like: (code is not tested, just as an idea)
$sessionId = Yii::$app->session->getId();
session_commit();
foreach (UserSessions::findByUserLogin('userB') as $session) {
session_id($session->id);
session_start();
session_destroy();
session_commit();
}
session_id($sessionId); // Restore original session
session_start();
session_commit();
The idea is weak because you always should take care about consistence of sessions on the server and in the DB.
Store sessions in DB
Store sessions is the database, as described in the Yii2 Guide for Session handling
Then you can just find session in the DB and delete it directly. You shouldn't take care about the consistence and session rotation, because DB is the only place, where the sessions are being stored. As a free bonus you get a non-blocking work with sessions.
If you are still looking for a solution to this, just change the auth_key of the user that you want to logout. This auth_key is used by the system to remember if a user is logged in, thus changing this will invalidate any session that uses this key.
Example to logout a user with id=100
$user = User::findOne(100);
$user->generateAuthKey(); //a function in User (Identity) class that generates the auth_key
$user->save();
If you are using a model User for storing auth credentials, you can simply change the value of 'id' (and also a key '100') to some other integer value, to make user fail auth on his next request.
In other words, you must change all '100', for example to '200' in this code:
file: /models/User.php
private static $users = [
'100' => [
'id' => '100',
'username' => 'admin',
'password' => 'password_for_admin',
'authKey' => '43e02a0f0e5f6a7907b2f2c69a765be7',
'accessToken' => '7b2f2c69a765be743e02a0f0e5f6a790',
],
];
I am using Ion Auth for my codeigniter application and all seems good except for one thing.
I need to display a list of users along with the groups they are in. How can I retrieve the group id of a particular user without making my own models and querying for it.
$this->ion_auth->user($id)->row(); does not retrieve the group id.
Ion Auth has updated and removed the get_user function in the latest version. As a result of this, the below should return the current group id of the logged in user:
$this->ion_auth->get_users_groups()->row()->id
If you're wanting to get the group id of a particular user, you can pass the user id into the get_users_groups method.
get the Object:
$user_groups = $this->ion_auth->get_users_groups($user->id)->result();
Get the name of the group:
$this->ion_auth->get_users_groups($data['id'])->row()->name;
In my case:
$data['groups'] = $this->ion_auth->get_users_groups($data['id'])->row()
You can check the offcial doc about get users groups:
http://benedmunds.com/ion_auth/#get_users_groups
I came across this because I wanted to add a user's group_id(s) to the session upon successful login. In case anyone is interested, here's how I did it (once i managed to figure out where everything was being done).
In ion_auth_model.php, I took the set_session function:
public function set_session($user)
{
$this->trigger_events('pre_set_session');
$session_data = array(
'identity' => $user->{$this->identity_column},
'username' => $user->username,
'email' => $user->email,
'user_id' => $user->id, //everyone likes to overwrite id so we'll use user_id
'old_last_login' => $user->last_login
);
$this->session->set_userdata($session_data);
$this->trigger_events('post_set_session');
return TRUE;
}
and modified it to this:
public function set_session($user)
{
$this->trigger_events('pre_set_session');
$session_data = array(
'identity' => $user->{$this->identity_column},
'username' => $user->username,
'email' => $user->email,
'user_id' => $user->id, //everyone likes to overwrite id so we'll use user_id
'old_last_login' => $user->last_login
);
//get user group ids for user and pass to session
$groups = $this->ion_auth->get_users_groups($user->id)->result();
foreach ($groups as $row){
$session_data['groups'][] = $row->id;
}
$this->session->set_userdata($session_data);
$this->trigger_events('post_set_session');
return TRUE;
}
now it writes an array to the session called groups that is a list of all the groups the user belongs to.
The only other thing I had to do was to modify the logout function in Ion_auth.php (in application/libraries) to make sure the group session variable is unset by adding
$this->session->unset_userdata('groups');
to the list of other unset_userdata() statements.
I know I probably should have just extended the libraries/models to keep the core untouched, but you could take what I did and easily do that.
hope this helps someone.
Rob
Try adding this to ion_auth_model.php
(Or place the query somewhere else)
/**
* get_all_users_with_group
*
* #return array
**/
public function get_all_users_with_group()
{
$this->trigger_events('get_all_users_with_groups');
return $this->db->select(
$this->tables['users'].'.*, '.
$this->tables['users_groups'].'.'.$this->join['groups'].' as group_id, '.
$this->tables['groups'].'.name as group_name, '.
$this->tables['groups'].'.description as group_desc'
)
->join($this->tables['users_groups'], $this->tables['users_groups'].'.'.$this->join['users'].'='.$this->tables['users'].'.id')
->join($this->tables['groups'], $this->tables['users_groups'].'.'.$this->join['groups'].'='.$this->tables['groups'].'.id')
->get($this->tables['users']);
}
use in the controller:
$groups = array(1,2,3,4);
$this->data['list_staff'] = $this->ion_auth->users($groups)->result(); // выбираем всех teachers из зарегистрированных пользователей
foreach ($this->data['list_staff'] as $k => $one_staff)
{
$this->data['list_staff'][$k]->groups = $this->ion_auth->get_users_groups($one_staff->id)->result();
}
and in view use:
<?php foreach($list_staff as $one):?>
<?php foreach ($one->groups as $group):?>
<?php echo $group->description;?>,
<?php endforeach?>
<?endforeach;?>
but what about query to get groups for current logged in user (for example in my profile) I find next decision.
Controller:
$this->data['this_user_groups'] = $this->ion_auth->get_users_groups()->result();
and view just:
<?php foreach ($this_user_groups as $group):?>
<?php echo $group->description;?>,
<?php endforeach?>
I have a concern about Zend Auth. I've searched throughout the internet, but haven't found any tutorial, article or discussion;
scenario: Login as 'ADMIN' on 'COMPUTER 01' and 'COMPUTER 02' concurrently.
I want my user login system to prevent the 'ADMIN' user from logging in on two computers at the same time. So that when a User is already logged in, the system disables login on another machine.
As far as I am aware this functionality is not built in to Zend_Auth, but you could achieve what you want by extending the Zend_Auth_Adapter that you are currently using and overiding the authenticate() method as danielrsmith suggests.
You would need to add a table to your DB that is set/unset by the login process. The problem is going to be the unset if the user does not specifically log out, but you could store a timestamp in the DB and allow the login to expire for the next login attempt.
My_Auth_Adapter_DbTable extends Zend_Auth_Adapter_DbTable
{
public function authenticate()
{
$authResult = parent::authenticate();
if($this->alreadyLoggedIn(){
$authResult = new Zend_Auth_Result(
Zend_Auth_Result::FAILURE_UNCATEGORIZED,
$this->_identity,
array('User already logged in')
);
} else {
$this->setLoggedIn();
}
return $authResult;
}
private function alreadyLoggedIn()
{
//check db table to see if $this->_identity is already logged in
//then return true or false as appropriate
}
private function setLoggedIn()
{
//update table in DB to reflect logged in status
}
}
I haven't tested this code, but it will, hopefully, get you started in the right direction.
Also, doing it this way will, I think, avoid the need to alter the session handler in any way.
Try this:
Create session table in database:
CREATE TABLE session (
id char(32),
modified int,
lifetime int,
data text,
PRIMARY KEY (id)
);
Store session in database by Zend_Session_SaveHandler_DbTable. Put the following code in bootstrap.php
protected function _initDoctrineSession()
{
$url=constant("APPLICATION_PATH").DIRECTORY_SEPARATOR ."configs".DIRECTORY_SEPARATOR."application.ini";
$config=new Zend_Config_Ini($url,"mysql");
$db=Zend_Db::factory($config->db);
Zend_Db_Table_Abstract::setDefaultAdapter($db);
$config = array(
'name' => 'session',
'primary' => 'id',
'modifiedColumn' => 'modified',
'dataColumn' => 'data',
'lifetimeColumn' => 'lifetime'
);
Zend_Session::setSaveHandler(new Zend_Session_SaveHandler_DbTable($config));
Zend_Session::start();
}
When log in, save user id or user name in session:
$logged_user = new Zend_Session_Namespace('logged_user');
$logged_user->logged_user = $user->name;
Another log in deletes all expired sessions in database firstly:
$sessionModel = new Session();
$sessionModel->removeExpiredSessions();
5.After log in, search session table records to see if current user already logged in:
$sessions = $sessionModel->querySessions();
$flag=true;
foreach ($sessions as $session){
if(strpos($session['data'], $user->name)>0 and strpos($session['data'],"Zend_Auth")>0
){
$flag=false;
}
}
if($flag == false){
$this->_forward('index','index');
return;
}
This will work. But there is a problem, if a user closes the Web browser before log out, the user will not be able to log in again before the session expired. Anyone can help to fix the last problem?