Hello,
I'm not sure if it's a real issue, nor if it's a real problem, nor if my proposed modification is right.
I'm using v0.1.0-beta.5 (I've checked on github I think the issue is still there in the head version).
The problem:
- emptying the "access_tokens" table doesn't unlog users.
- if for some reasons you change id in table users (uncommon but can happen in certain backup/restore/import_from_foreign_forum scenario) : already logged user will get logged under another user account.
- I've not tested this scenario, but maybe expired tokens won't unlog user.
For me the problem is in : Http/Middleware/RememberFromCookie.php
original :
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_remember');
if ($id) {
$token = AccessToken::find($id);
if ($token) {
$token->touch();
$session = $request->getAttribute('session');
$session->set('user_id', $token->user_id);
}
}
return $out ? $out($request, $response) : $response;
}
maybe should be :
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_remember');
if ($id) {
$token = AccessToken::find($id);
$session = $request->getAttribute('session');
if ($token) {
$token->touch();
$session->set('user_id', $token->user_id);
} else {
$session->set('user_id', 0);
}
}
return $out ? $out($request, $response) : $response;
}
otherwise Http/Middleware/AuthenticateWithSession.php will use the previous user_id in the session regardless of token
Maybe the $session->set('user_id', 0) should be done also if no id was found in cookie.
For me on beta5 this modification seems to solve the problem, without adding more problems.
Sorry if I'm wrong, and sorry for my english too.
Thanks for your great forum.