Update userdata in $_SESSION

[kkrell2016]

It would be great if the user data would be updated every time you call it. At the moment you have to log out and log in again when you change attributes of a user in the database. Maybe with a flag in the config to control the behavior.

[apps-caraga]

How would this work? Like, if an admin changes your username or access level, does it mean it automatically gets effected on the client-side or current user session?

[mevdschee]

How would this work?

It can affect the server side permission handlers when a role changes.

[apps-caraga]

2 possible scenarios.

1. User makes changes to his/her own profile
2. Admin does the changes to another user.

For # 1, we can require the user to enter the password when changing any critical profile information. This essentially does the re-logout/login routine.

For # 2, this could be limited to changing or setting the users' access level.

[kkrell2016]

It is not only about the access rights. In my case, the administrator also changes some other fields. Of course, the changes are updated only on server side. But in general everything should also be controlled on server side. "Never trust the client" :)
Currently I put my code for the update in the before handler.

[apps-caraga]

Would it be possible or is there any negative effect if the 'api.php/me' endpoint returns data selected from the users table (based current user id in session variable ) instead of the original session data? Currently, it returns the existing session data, so if the user edits an attribute, e.g., firstname or lastname, calling the 'api.php/me' returns only the orig user data and not the updated one

[apps-caraga]

This can be useful when used with dbAuth.loginAfterRegistration . For example, a new user is logged-in after registration but remains in a view-only page until an admin updates the user's permission to add/edit/delete data. This way, the app can check the /me endpoint and gets an updated user permission (the session data should also be updated by this time).

Anyway, I realize it's going to hit the database everytime the endpoint is accessed so perhaps that can be limited by adding a config setting so that the db is queried only after x seconds has passed. This would also need to add a updatedAt when starting the session.

[scriptPilot]

Would be useful for me too!

[mevdschee]

Would it be possible or is there any negative effect if the 'api.php/me' endpoint returns data selected from the users table (based current user id in session variable ) instead of the original session data?

Good idea. I don't see how this change would have a negative effect.

[scriptPilot]

What about to update the $_SESSION variable on every call?
As it is the trigger if the user has access to the DB or not it would be straightforward to keep it updated.

If the user is updated in the meantime (less rights, deactivated, ...) it would be very helpful to have this information available with the next call to the DB.

[scriptPilot]

As other users propose it could be a configuration setting to update the $_SESSION on each call at the beginning :-)