-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The user blocked in the backend is still logged in to the website on frontend. #26539
Comments
Would make sense though to force logout a user when blocking. |
I can replicate this issue when Session Handler is set to PHP. Works fine when set to Database. |
@sxzctzppyw |
@infograf768 |
I confirm the bug. |
I pointed this out years ago, this isn't anything new. The TL;DR is the force logout routine does nothing but query the session table and delete rows from there. Clearly this only works if using the database as a session handler, which for some reason, too many people seem to think is the only way people will use Joomla. |
Indeed I saw some old question about that. |
You should not be attempting to directly write to the session storage layer from anywhere outside the session API. You should be going through the session API.
namespace Joomla\CMS\Session;
final class SessionManager
{
/** @var \SessionHandlerInterface **/
private $sessionHandler;
public function __construct(\SessionHandlerInterface $sessionHandler)
{
$this->sessionHandler = $sessionHandler;
}
public function destroySessions(array $sessionIds): void
{
foreach ($sessionIds as $sessionId) {
$this->sessionHandler->destroy($sessionId);
}
}
} Still not architecturally "pure" as it still leaks the session handler as a service, and the DI Container doesn't have a notion of "private" services which can only be used in the context of building a service (a |
Thanks for explanations. I'm afraid this is over my head. |
Begrudgingly I have a patch almost finished to deal with force logout on 4.0. |
Please test PR #26891 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26539. |
Look like the issue was solved elsewhere. I tried and it worked OK for Joomla 4, so I'm closing this issue. Feel free to re-open if you still have same issue on Joomla 4 (Joomla 3 is now in maintenance mode and only receive security bugs fixes, not normal bugs fix anymore) |
Steps to reproduce the issue
Please log in as a test user to the site. Then block such user in the backend. Until he logs out, he can still, e.g. change his data, edit his account. If the user requests to delete data in the privacy component and confirms the request, despite his anonymization he is still logged in and can change his already anonymized data.
Expected result
When the user is blocked in the backend, the user is logged out of the site immediately.
Actual result
The user is not being logged out despite being blocked by the administrator.
System information (as much as possible)
Joomla! 3.9.12
Additional comments
The text was updated successfully, but these errors were encountered: