Closed MatteoPiovanelli-Laser closed 3 years ago
When is the user object reloaded?
As is, on FOO's next request, their client would send the authentication cookie it stored before FOO was disabled. The AuthenticationService would call all its providers to validate the information from the cookie, and that would find no issue with it, since there is no history of the Approved/Disabled state of the User.
https://github.com/OrchardCMS/Orchard/blob/eebb22edbfdfb2e69f2a0a40e8898bb9f1eda6ed/src/Orchard.Web/Modules/Orchard.Users/Events/LoginUserEventHandler.cs#L40
As is: User FOO logs on. User FOO is disabled. User FOO is enabled. At this point FOO's authentication cookie is still valid.
Since among the various tests done for the validity of the authentication cookie we are checking for the datetime of the last logout, setting that on a handler for the Moderate event would be enough to fix this.