1
boftx
Is it possible to force a user logout?
  • 2008/12/4 22:14

  • boftx

  • Just popping in

  • Posts: 8

  • Since: 2008/11/27


It appears to me that a user's group membership/perms are only checked at login, and not later. If nothing else, I would like to be able to force a user off the system when I mark them inactive with their next click.

Ideally, I want a user's access rights to change immediately upon change of group membership, whether more or less restrictive.

Does anyone know how to accomplish this? I am using XOOPS 2.3.1.

2
trabis
Re: Is it possible to force a user logout?
  • 2008/12/5 1:15

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


Where do we inactivate a user, can you point me? Is it in the profile module?

I try to get a way of doing that but I´m not sure it will allways work.

In this tip a user will get logged out everytime you change his groups.

Edit system/admin/users/users.php around line 225

} else {
            if (
$groups != array()) {
                global 
$xoopsUser;
                
$oldgroups $edituser->getGroups();
                
//If the edited user is the current user and the current user WAS in the webmaster's group and is NOT in the new groups array
                
if ($edituser->getVar('uid') == $xoopsUser->getVar('uid') && (in_array(XOOPS_GROUP_ADMIN$oldgroups)) && !(in_array(XOOPS_GROUP_ADMIN$groups))) {
                    
//Add the webmaster's group to the groups array to prevent accidentally removing oneself from the webmaster's group
                    
array_push($groupsXOOPS_GROUP_ADMIN);
                }
                
$member_handler =& xoops_gethandler('member');
                foreach (
$oldgroups as $groupid) {
                    
$member_handler->removeUsersFromGroup($groupid, array($edituser->getVar('uid')));
                }
                foreach (
$groups as $groupid) {
                    
$member_handler->addUserToGroup($groupid$edituser->getVar('uid'));
                }
                
//hack by  trabis
                
$session_id '';
                
$sql"SELECT s.sess_id FROM ".$xoopsDB->prefix('online')." o LEFT JOIN  ".$xoopsDB->prefix('session')." s ON o.online_ip=s.sess_ip WHERE o.online_uid='".$edituser->getVar('uid')."'";
                
$result $xoopsDB->query($sql);
                list(
$session_id) = $xoopsDB->fetchRow($result);
                if(
$session_id != '') {
                    
$sql "DELETE FROM ".$xoopsDB->prefix('session')." WHERE sess_id='".$session_id."'";
                    
$result $xoopsDB->queryF($sql));
                }
                
//end of hack
            
}
            
redirect_header("admin.php?fct=users",1,_AM_DBUPDATED);
        }


This code will check if the user is online so he can get the user IP. Having the user IP the script will get the user session and then delete it.
I think you must have the "Whos Online" Block in your page in order to have the table populated.
I did not find any other way of doing this because the session table is not directly linked to the user profile.

Another thing that may occur is that the session may be deleted on any change in the profile and not just for groups. I´m not shore on that either. Please test it. BTW, don´t try to modify your own account because it wont work, you will not be logged out. You can only log out other users.

3
ghia
Re: Is it possible to force a user logout?
  • 2008/12/5 3:23

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Humm, logging users out, is not the best solution.
However the new rights should be applicable.
I think the problem is only existant when users have changed groups, because the groups are stored in the session. Other permissions have immidiate effect.
I assume, there is no way of adapting other sessions variables, so the only possibility left to remember the change is the database. Isn't it so that for every request the user record is read? Then that could be adapted with an extra field to indicate a group change and that the usergroups have to be reloaded in the session.

4
boftx
Re: Is it possible to force a user logout?
  • 2008/12/5 5:10

  • boftx

  • Just popping in

  • Posts: 8

  • Since: 2008/11/27


I like the idea that a user is logged out on group change, I can live with that just fine. It is a minor thing when increasing a user's access rights, but critical when removing them.

I'll try and see what happens then report back.

Thanks for the tip!

Login

Who's Online

414 user(s) are online (311 user(s) are browsing Support Forums)


Members: 0


Guests: 414


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits