Allow to disable a user in admin settings.

When a user is disabled, he can not login.

config/packages/security.yaml

@@ -16,6 +16,7 @@ security:
             security: false
         main:
             anonymous: true
+            user_checker: App\Security\UserChecker
 
               # activate different ways to authenticate
 

src/Entity/UserSystem/User.php

@@ -78,6 +78,7 @@ use Symfony\Component\Validator\Constraints as Assert;
 /**
  * This entity represents a user, which can log in and have permissions.
  * Also this entity is able to save some informations about the user, like the names, email-address and other info.
+ * Also this entity is able to save some informations about the user, like the names, email-address and other info.
  *
  * @ORM\Entity(repositoryClass="App\Repository\UserRepository")
  * @ORM\Table("`users`")
@@ -340,6 +341,26 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
         return $this;
     }
 
+    /**
+     * Checks if this user is disabled (user cannot login any more).
+     * @return bool True, if the user is disabled.
+     */
+    public function isDisabled(): bool
+    {
+        return $this->disabled;
+    }
+
+    /**
+     * Sets the status if a user is disabled.
+     * @param bool $disabled True if the user should be disabled.
+     * @return User
+     */
+    public function setDisabled(bool $disabled): User
+    {
+        $this->disabled = $disabled;
+        return $this;
+    }
+
 
 
     /**
@@ -566,6 +587,7 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
 
     public function __toString()
     {
-        return $this->getFullName(true);
+        $tmp = $this->isDisabled() ? ' [DISABLED]' : '';
+        return $this->getFullName(true) . $tmp;
     }
 }

src/EventSubscriber/LogoutOnDisabledUserListener.php

@@ -0,0 +1,94 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\EventSubscriber;
+
+
+use App\Entity\UserSystem\User;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\SecurityEvents;
+use Symfony\Contracts\Translation\TranslatorInterface;
+
+class LogoutOnDisabledUserListener implements EventSubscriberInterface
+{
+
+    protected $security;
+    protected $translator;
+    protected $flashBag;
+    protected $urlGenerator;
+
+    public function __construct(Security $security, UrlGeneratorInterface $urlGenerator)
+    {
+        $this->security = $security;
+
+        $this->urlGenerator = $urlGenerator;
+    }
+
+    public function onRequest(RequestEvent $event)
+    {
+        $user = $this->security->getUser();
+        if ($user instanceof User && $user->isDisabled()) {
+            //Redirect to login
+            $response = new RedirectResponse($this->urlGenerator->generate('logout'));
+            $event->setResponse($response);
+        }
+    }
+
+    /**
+     * Returns an array of event names this subscriber wants to listen to.
+     *
+     * The array keys are event names and the value can be:
+     *
+     *  * The method name to call (priority defaults to 0)
+     *  * An array composed of the method name to call and the priority
+     *  * An array of arrays composed of the method names to call and respective
+     *    priorities, or 0 if unset
+     *
+     * For instance:
+     *
+     *  * ['eventName' => 'methodName']
+     *  * ['eventName' => ['methodName', $priority]]
+     *  * ['eventName' => [['methodName1', $priority], ['methodName2']]]
+     *
+     * @return array The event names to listen to
+     */
+    public static function getSubscribedEvents()
+    {
+        return [KernelEvents::REQUEST => 'onRequest'];
+    }
+}

src/Form/UserAdminForm.php

@@ -129,6 +129,7 @@ class UserAdminForm extends AbstractType
                 'disabled' => !$this->security->isGranted('edit_infos', $entity),
             ])
 
+
             //Config section
             ->add('language', LanguageType::class, [
                 'required' => false,
@@ -170,6 +171,7 @@ class UserAdminForm extends AbstractType
                 'invalid_message' => 'password_must_match',
                 'required' => false,
                 'mapped' => false,
+                'disabled' => !$this->security->isGranted('set_password', $entity),
                 'constraints' => [new Length([
                     'min' => 6,
                     'max' => 128,
@@ -179,7 +181,17 @@ class UserAdminForm extends AbstractType
             ->add('need_pw_change', CheckboxType::class, [
                 'required' => false,
                 'label_attr' => ['class' => 'checkbox-custom'],
-                'label' => $this->trans->trans('user.edit.needs_pw_change')
+                'label' => $this->trans->trans('user.edit.needs_pw_change'),
+                'disabled' => !$this->security->isGranted('set_password', $entity)
+            ])
+
+            ->add('disabled', CheckboxType::class, [
+                'required' => false,
+                'label_attr' => ['class' => 'checkbox-custom'],
+                'label' => $this->trans->trans('user.edit.user_disabled'),
+                'disabled' => !$this->security->isGranted('set_password', $entity)
+                    || $entity === $this->security->getUser()
+
             ])
 
             //Permission section

src/Security/UserChecker.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Security;
+
+
+use App\Entity\UserSystem\User;
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
+use Symfony\Component\Security\Core\Exception\DisabledException;
+use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Contracts\Translation\TranslatorInterface;
+use Throwable;
+
+class UserChecker implements UserCheckerInterface
+{
+    protected $translator;
+
+    public function __construct(TranslatorInterface $translator)
+    {
+        $this->translator = $translator;
+    }
+
+    /**
+     * Checks the user account before authentication.
+     *
+     * @throws AccountStatusException
+     */
+    public function checkPreAuth(UserInterface $user)
+    {
+        // TODO: Implement checkPreAuth() method.
+    }
+
+    /**
+     * Checks the user account after authentication.
+     *
+     * @throws AccountStatusException
+     */
+    public function checkPostAuth(UserInterface $user)
+    {
+        if (!$user instanceof User) {
+            return;
+        }
+
+        //Check if user is disabled. Then dont allow login
+        if ($user->isDisabled()) {
+            throw new DisabledException();
+        }
+    }
+}

src/Security/Voter/ExtendedVoter.php

@@ -56,6 +56,12 @@ abstract class ExtendedVoter extends Voter
     final protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
     {
         $user = $token->getUser();
+
+        //An allowed user is not allowed to do anything...
+        if($user instanceof User && $user->isDisabled()) {
+            return false;
+        }
+
         // if the user is anonymous, we use the anonymous user.
         if (!$user instanceof User) {
             $user = $this->entityManager->find(User::class, User::ID_ANONYMOUS);

templates/AdminPages/UserAdmin.html.twig

@@ -33,6 +33,7 @@
     <div class="tab-pane" id="password">
         {{ form_row(form.new_password) }}
         {{ form_row(form.need_pw_change) }}
+        {{ form_row(form.disabled) }}
     </div>
 
     <div class="tab-pane" id="permissions">