Why banned users are still logged in?

hovel / pybbm

Django forum solution. Tested, documented, shipped with example project.

BSD 2-Clause "Simplified" License

225 stars 151 forks source link

Why banned users are still logged in? #268

Closed lampslave closed 7 years ago

lampslave commented 7 years ago

There is no force logout in views.block_user.

DylannCordel commented 7 years ago

We could add a Middleware for this, but is this in the scope of pybb ? When an admin deactivates a user via admin/auth/user/<id>, this user is not logged out too. Maybe we could just add a part in the documentation about this problem, and how to solve it by adding this specific Middleware.

from django.contrib.auth import logout

class LogoutInactiveUserMiddleware(object):
    def process_request(self, request):
        if request.user.is_authenticated() and not request.user.is_active:
            logout(request)

lampslave commented 7 years ago

Instead of middleware we can add logout to views.block_user, I just wonder why this wasn't done before...

DylannCordel commented 7 years ago

Unfortunately, we can't : this view is called with an admin user, not the user which is banned. If we call logout in this view, it's the admin who will be logged out because logout need the request to manipulate the user's session. See django.contrib.auth.logout

lampslave commented 7 years ago

Yes, you're right. Then this isn't pybbm issue. Maybe https://django-force-logout.readthedocs.io/ will be helpful.