feat: prevent logged-in users from trying to log in again #216
Conversation
There was a problem hiding this comment.
The only exception I see is "act as" functionality - where an admin impersonates another user to simulate their experience using the website. I incorporate this into all my projects because it is very helpful during development to be able to try different user roles and it helps eventual website owners troubleshoot issues with their users' accounts.
That said, maybe that doesn't count as an actual "login" and needs some other way of changing the underlying active user?
|
I wouldn't think of that as a login, per se. In Laravel projects I've used laravel-impersonate and found it very nice. Maybe we need a package like this? Though I'm not sure that's a core component. Either way - you could probably override the filter to make this work? |
|
"act as" functionality is not a normal login. It should not fire login event. |
If a logged-in user logs in with a different user account, the session data of the previous user is carried over.
kenjis
force-pushed
the
prevent-logged-in-user-login-again
branch
from
92156a7 to
ec5fe81
Compare
|
Fixed a rector error. Merging. |
Basically, a logged-in user is not supposed to log in again without logging out,
and should be protected so that he/she cannot do so with filters and/or controllers.
But a developer may misconfigure and if a logged-in user logs in with a different user account,
the session data of the previous user is carried over.
This PR prevents such behavior by making errors.