Check if user role has changed while the session is open

3 files changed, 12 insertions, 2 deletions

diff --git a/app/Auth/DatabaseAuth.php b/app/Auth/DatabaseAuth.php
index 84a1e019..1982f576 100644
--- a/app/Auth/DatabaseAuth.php
+++ b/app/Auth/DatabaseAuth.php
@@ -84,7 +84,7 @@ class DatabaseAuth extends Base implements PasswordAuthenticationProviderInterfa
      */
     public function isValidSession()
     {
-        return $this->userModel->isActive($this->userSession->getId());
+        return $this->userModel->isValidSession($this->userSession->getId(), $this->userSession->getRole());
     }
 
     /**
diff --git a/app/Middleware/AuthenticationMiddleware.php b/app/Middleware/AuthenticationMiddleware.php
index 54652e57..7eb9f745 100644
--- a/app/Middleware/AuthenticationMiddleware.php
+++ b/app/Middleware/AuthenticationMiddleware.php
@@ -20,7 +20,8 @@ class AuthenticationMiddleware extends BaseMiddleware
     public function execute()
     {
         if (! $this->authenticationManager->checkCurrentSession()) {
-            throw AccessForbiddenException::getInstance()->withoutLayout();
+            $this->response->redirect($this->helper->url->to('AuthController', 'login'));
+            return;
         }
 
         if (! $this->isPublicAccess()) {
diff --git a/app/Model/UserModel.php b/app/Model/UserModel.php
index c44fd3e7..d8db3270 100644
--- a/app/Model/UserModel.php
+++ b/app/Model/UserModel.php
@@ -29,6 +29,15 @@ class UserModel extends Base
      */
     const EVERYBODY_ID = -1;
 
+    public function isValidSession($userID, $sessionRole)
+    {
+        return $this->db->table(self::TABLE)
+            ->eq('id', $userID)
+            ->eq('is_active', 1)
+            ->eq('role', $sessionRole)
+            ->exists();
+    }
+
     /**
      * Return true if the user exists
      *