I have a user entity, which has a boolean "hasTmpPassword". This boolean is set to true until the user changes its password.
After login with the temp password, I redirect to my changePassword page (with DefaultAuthenticationSuccessHandler )
How can I prevent a login user (with temp password), to access other pages of the website, and always redirect him toward the changePassword page?
Thanks!
after login that user you should set flag in his session (ie. changePasswordNeeded).
$request->getSession()->set('changePasswordNeeded', true);
Add listener, which will be fired onKernelRequest
kernel.listener.your_listener_name: class: YourLitenerClass tags: - { name: kernel.event_listener, event: kernel.controller, method: onKernelRequest }
Redirect to form each request except change_temp_password request (for selected users)
public function onKernelRequest(FilterControllerEvent $event) {
$request = $event->getRequest();
if ($request->getSession()->has('changePasswordNeeded')) {
$expectedRoute = 'change_temp_password';
if ($expectedRoute === $event->getRequest()->get('_route')) {
return;
}
$url = $this->router->generate($expectedRoute);
$response = new RedirectResponse($url);
$event->setResponse($response);
}
}
I'm not familiar with symfony2, but in plain php I would set a session variable to indicate that a temporary password was used for authentication. Then you can check if that variable is set / has a certain value where you handle your authentication and redirect to the password-change page whenever the user tries to access another page.