Symfony Security access control doesn't react to user changes in DB

Question

My user provider is set to User entity.

The entity has getRoles() model and it works properly.

My problem is that:

• There are two user roles in the website (Admin and Regular)
• Regular user can't access Object creation (access_control is set that only Admins can do this)
• User logs in while he is still has 'Regular' role
• I go and edit this 'Regular' user in DB and set it to 'Admin'
• User is still logged-in, the access_control still treats him as 'Regular'
• $this->getUser()->getRoles() has the 'Admin' role.
• User still can't access the Object creation route, because access_control assumes he is still 'Regular'
• He has to re-login, and only then the access_control lets him access the Object creation route.

How do I do so that that database changes apply to the session, without having to log out?

Answer 1

I went with Symfony's voters: https://symfony.com/doc/current/security/voters.html

Could not be able to achieve it without Security Roles without logging-out.

Answer 2

I think this question is similar to yours. The accepted answer was:

$user = $this->getUser();
$user->addRole('ROLE_ADMIN');
$this->get('fos_user.user_manager')->updateUser($user);
$token = new UsernamePasswordToken($user, null, 'main', $user->getRoles());
$this->get('security.context')->setToken($token);