fix(auth): invalidate session when permissions change EE-3320 (#8103)

2 years ago · 0ddcad66f3
parent 930d9e5628
commit 0ddcad66f3
2 changed files with 8 additions and 4 deletions
--- a/api/http/handler/users/user_update.go
+++ b/api/http/handler/users/user_update.go
@ -108,14 +108,15 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 		user.TokenIssueAt = time.Now().Unix()
 	}

-	if payload.Role != 0 {
-		user.Role = portainer.UserRole(payload.Role)
-	}
-
 	if payload.UserTheme != "" {
 		user.UserTheme = payload.UserTheme
 	}

+	if payload.Role != 0 {
+		user.Role = portainer.UserRole(payload.Role)
+		user.TokenIssueAt = time.Now().Unix()
+	}
+
 	err = handler.DataStore.User().UpdateUser(user.ID, user)
 	if err != nil {
 		return httperror.InternalServerError("Unable to persist user changes inside the database", err)
--- a/app/portainer/services/stateManager.js
+++ b/app/portainer/services/stateManager.js
@ -52,6 +52,9 @@ function StateManagerFactory(
  };

  manager.resetPasswordChangeSkips = function (userID) {
+    if (!state.UI.timesPasswordChangeSkipped) {
+      return;
+    }
    if (state.UI.timesPasswordChangeSkipped[userID]) state.UI.timesPasswordChangeSkipped[userID] = 0;
    LocalStorage.storeUIState(state.UI);
  };