Symfony provides a simple way of preventing users from logging in using the isEnabled property if the user class implements AdvancedUserInterface.
However, if the user is logged in nothing will prevent them from accessing the website until their session expires.
The idea would be to check the isEnabled property upon getting the user entity ($this->get('security.token_storage')->getToken()->getUser()) and to invalidate the session then. What is the preferred way of doing so?
Or is there a better way to achieve this goal?
You can set the following in your security.yml:
security:
always_authenticate_before_granting: true
This will always re-authenticate a user before storing the information into the token. It will take care of these kind of changes in the user configuration, but also things like changed roles etc..
Maybe catch request before controller execution (there is a listener for that I think), check if his account is blocked and if it's true just make 403 response and hasta la vista baby
Better way is redirecting them to the logout url, which is handled by Security system. You can do it by creating a listener which listens the kernel.request event. Here is a gist which I created about a month ago, which provides such functionality..
You could do this with a custom user provider (it's an easy change if you are already using one).
http://symfony.com/doc/current/cookbook/security/custom_provider.html
loadUserByUsername is called when a user logs in.
refreshUser is called on every subsequent request. The user-object is unserialized and then refreshed. You can then do whatever you want in the refresh method, including reloading it from the database and check if the user is banned.