From 23aae920efafd4b37cb361901cb1a2e689fce7c1 Mon Sep 17 00:00:00 2001
From: thisismeonmounteverest <bla@blafaselblubb.abcde.biz>
Date: Sat, 13 Apr 2024 15:56:38 +0200
Subject: [PATCH] Use session invalidation to force user logout to avoid
 re-activation of just retired member.

---
 src/Controller/ProfileController.php | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/Controller/ProfileController.php b/src/Controller/ProfileController.php
index 7a18fe91b..d96543300 100644
--- a/src/Controller/ProfileController.php
+++ b/src/Controller/ProfileController.php
@@ -24,6 +24,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
 use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
@@ -222,7 +223,7 @@ public function deleteProfileNotLoggedIn(
             $member = $memberRepository->findOneBy(['username' => $data['username']]);
 
             $verified = false;
-            if (null === $member) {
+            if (null === $member || !$member->isBrowsable()) {
                 $deleteProfileForm->addError(new FormError($translator->trans('profile.delete.credentials')));
             } else {
                 $passwordHasher = $passwordHasherFactory->getPasswordHasher($member);
@@ -239,7 +240,7 @@ public function deleteProfileNotLoggedIn(
             }
 
             if ($success) {
-                return $this->redirectToRoute('security_logout');
+                return $this->redirectToRoute('homepage');
             }
         }
 
@@ -251,8 +252,12 @@ public function deleteProfileNotLoggedIn(
     /**
      * @Route("/members/{username}/delete", name="profile_delete")
      */
-    public function deleteProfile(Request $request, Member $member, ProfileModel $profileModel): Response
-    {
+    public function deleteProfile(
+        Request $request,
+        TokenStorageInterface $tokenStorage,
+        Member $member,
+        ProfileModel $profileModel
+    ): Response {
         $loggedInMember = $this->getUser();
         if ($member !== $loggedInMember) {
             return $this->redirectToRoute('members_profile', ['username' => $member->getUsername()]);
@@ -267,7 +272,10 @@ public function deleteProfile(Request $request, Member $member, ProfileModel $pr
             $success = $profileModel->retireProfile($member, $deleteProfileForm->getData());
 
             if ($success) {
-                return $this->redirectToRoute('security_logout');
+                // force logout
+                $tokenStorage->setToken(null); // Force logout
+                $request->getSession()->invalidate();
+                return $this->redirectToRoute('homepage');
             }
         }