php-crud-api icon indicating copy to clipboard operation
php-crud-api copied to clipboard

Published 20 hours ago verified publisher icon mevdschee

Update userdata in $_SESSION

Open kkrell2016 opened this issue 2 years ago • 10 comments

It would be great if the user data would be updated every time you call it. At the moment you have to log out and log in again when you change attributes of a user in the database. Maybe with a flag in the config to control the behavior.

kkrell2016 avatar Nov 17 '22 08:11 kkrell2016

How would this work? Like, if an admin changes your username or access level, does it mean it automatically gets effected on the client-side or current user session?

apps-caraga avatar Nov 18 '22 06:11 apps-caraga

How would this work?

It can affect the server side permission handlers when a role changes.

mevdschee avatar Nov 18 '22 06:11 mevdschee

2 possible scenarios.

  1. User makes changes to his/her own profile
  2. Admin does the changes to another user.

For # 1, we can require the user to enter the password when changing any critical profile information. This essentially does the re-logout/login routine.

For # 2, this could be limited to changing or setting the users' access level.

apps-caraga avatar Nov 18 '22 07:11 apps-caraga

It is not only about the access rights. In my case, the administrator also changes some other fields. Of course, the changes are updated only on server side. But in general everything should also be controlled on server side. "Never trust the client" :) Currently I put my code for the update in the before handler.

kkrell2016 avatar Nov 21 '22 11:11 kkrell2016

Would it be possible or is there any negative effect if the 'api.php/me' endpoint returns data selected from the users table (based current user id in session variable ) instead of the original session data? Currently, it returns the existing session data, so if the user edits an attribute, e.g., firstname or lastname, calling the 'api.php/me' returns only the orig user data and not the updated one

apps-caraga avatar Feb 22 '23 04:02 apps-caraga

This can be useful when used with dbAuth.loginAfterRegistration . For example, a new user is logged-in after registration but remains in a view-only page until an admin updates the user's permission to add/edit/delete data. This way, the app can check the /me endpoint and gets an updated user permission (the session data should also be updated by this time).

Anyway, I realize it's going to hit the database everytime the endpoint is accessed so perhaps that can be limited by adding a config setting so that the db is queried only after x seconds has passed. This would also need to add a updatedAt when starting the session.

apps-caraga avatar Feb 25 '23 06:02 apps-caraga

Would be useful for me too!

scriptPilot avatar Oct 15 '23 20:10 scriptPilot

Would it be possible or is there any negative effect if the 'api.php/me' endpoint returns data selected from the users table (based current user id in session variable ) instead of the original session data?

Good idea. I don't see how this change would have a negative effect.

mevdschee avatar Oct 17 '23 05:10 mevdschee

What about to update the $_SESSION variable on every call? As it is the trigger if the user has access to the DB or not it would be straightforward to keep it updated.

If the user is updated in the meantime (less rights, deactivated, ...) it would be very helpful to have this information available with the next call to the DB.

scriptPilot avatar Oct 17 '23 06:10 scriptPilot

As other users propose it could be a configuration setting to update the $_SESSION on each call at the beginning :-)

scriptPilot avatar Oct 17 '23 06:10 scriptPilot