Restriction of login pages, forgotten password and registration if the user is already logged in #2394

Closed
wants to merge 5 commits into
from

Projects

None yet

3 participants

@Thibault34

In case the user is already logged in, on the login pages, forgotten password and registration, it is redirected to the profile page

Thibault34 added some commits Jan 10, 2017
@Thibault34 Thibault34 Update SecurityController.php b6587c3
@Thibault34 Thibault34 Update ResettingController.php d45a2c1
@Thibault34 Thibault34 Update RegistrationController.php
22dd781
@damienalexandre

This makes the profile routes mandatory, but as explained here: https://symfony.com/doc/master/bundles/FOSUserBundle/routing.html, some installations may not expose them.

Controller/SecurityController.php
@@ -26,6 +27,10 @@ class SecurityController extends Controller
*/
public function loginAction(Request $request)
{
+ if ($this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
@stof
stof Jan 10, 2017 Member

this is a no-go, because it breaks when Symfony asks a remembered user to login again to achieve full authentication

@stof
Member
stof commented Jan 10, 2017

This is a BC break (we did it in the past, and several people complained because they rely on being able to access the registration while being logged in).

thus, it might make sense to access the password resetting while being authenticated by remember_me if you don't remember your password when being asked to enter it again somewhere.

Thibault34 added some commits Jan 10, 2017
@Thibault34 Thibault34 Update SecurityController.php
c79ee82
@Thibault34 Thibault34 Update ResettingController.php
4aa5ebf
@Thibault34

I have change IS_AUTHENTICATED_REMEMBERED for IS_AUTHENTICATED_FULLY in login and password resetting pages, it's good ?

@stof
Member
stof commented Jan 10, 2017

for the resetting, even FULLY could break things IMO.

And I don't like the hard dependency on the profile page. Projects may not use it (for instance, I don't have such a route in my own project). So I'm rather -1 here.

thus, both RegistrationController::registerAction and ResettingController::sendEmailAction have a way to add this in your own project with an event listener if you want it. So I'd rather not enforce this behavior for all projects.

@Thibault34

Ok, so I close my request.

Thanks you

@Thibault34 Thibault34 closed this Jan 10, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment