Editing A User For Laravel App

Question

In attempting to put together a form partial that houses all the inputs for a user creation I have a few questions on this.

Form Fields: first_name, last_name, email, password, password_confirmation, user_role_id.

The create and edit form can ONLY be accessed for an administrator. The form works great on the create side of things however I'm trying to think of how to handle the edit side. Right now the password field is obviously empty because of Laravel's default behavior of hiding the password input from the user model.

So for an administrator to edit a user what should I do to adjust for that. As the situation maybe just the email address or the name needs changed and then clicking the submit button won't have a value for password. Do I go ahead and make the password field non hidden.

Also what if the situation where an admin changes the user's role to something else while that user is currently logged in. What do I do about the fact that might enable/prevent the user from accessing parts of the application based on when they were logged in with that previous role.

Answer 1

I would use the database to store sessions, that way you can delete session data for specific users, which will force them to re-authenticate on their next request.

You'd need to use a filter to check if session data exists in the database before processing the request. If not, redirect to login.

So when an admin changes a role for a user, if that info is not stored in the session for the user, no reauth is necessary if the role is checked directly from the db. If the role is in the users session and that session is in the database, you can delete the session for the user from the database forcing them to relogin on their next request getting them the new role. This only works if you have proper filters in place to check users session info.

Answer 2

I hope I am understanding your problem correctly. If not please let me know.

Regarding the password, what I've done before is leave both the password and confirm_password input fields blank. Then if the first password field has anything in it, then I assume you are wanting to change the password. Then I validate to make sure both passwords match and update the user accordingly.

Regarding the role change, I'm not aware of any built-in feature from Laravel for forcing a user to log in the next time they access an authenticated page. But that is probably what you would want to do. Either flag the user to log in again, or just wait until their session expires and has to log in again.

I'm curious to see how others have dealt with this situation.