Depending on different IPN requests I am adding/removing users to/from a user group that is eligible for passing a paywall via a rest handler:
if ($grantAccess) {
if (!$user->isMember($group->get('id'))) {
$user->joinGroup($group->get('id'));
}
$action = 'granted';
} else {
if ($user->isMember($group->get('id'))) {
$user->leaveGroup($group->get('id'));
}
$action = 'revoked';
}
The whole logic is working, but the actual access perms/session of the user are not getting updated unless the user does a re-login. Looking at the leaveGroup and joinGroup code it only unsets the current session permissions:
I’m not sure I understand what exactly you are trying to do.
With the default settings, MODX saves the sessions to the database table modx_session. But I don’t think it’s possible to identify the rows of a given user.
You probably need a solution like smartSessions, that uses a custom session handler and adds a new column user_id to the (new) session table (modx_smart_sessions). Then you could delete the entries of a certain user, so that the user is forced to log-in again.
It’s also not advisable to associate a user_id with a session, as that then becomes a vector for security attacks should someone gain access to the database. In fact, we just deprecated and stopped recording the session_id in the user_attributes table because it was reported as a potential security vulnerability.
user is logged in and has access to paid content (via user group paid)
payment gateway calls modRest route with an IPN that payment was cancelled
my handler removes this user via leaveGroup
=> Problem: this user still has access to the paid content until he logs out and logs in again.
I guess the session perms are not updated because leaveGroup is trying to unset those on the actual $_SESSION. However, that only affects the current PHP session running the code (my REST handler), not the actual user session in their browser. So the user’s permissions are not refreshed:
I created two plugins (note: I am misusing remote_key field here):
setReloginFlag:
<?php
switch ($modx->event->name) {
case 'OnUserRemoveFromGroup':
case 'OnUserAddToGroup':
if (!$user) return '';
// Set flag for relogin to flush permissions
$user->set('remote_key','1');
$user->save();
break;
}
Just need to make sure that OnUserRemoveFromGroup and OnUserAddToGroup are invoked by the script. Afaik leaveGroup and joinGroup are not invoking those events.