fix(auth): invalidate session when permissions change EE-3320 (#8103)

api/http/handler/users/user_update.go

@@ -108,14 +108,15 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 		user.TokenIssueAt = time.Now().Unix()
 	}
 
-	if payload.Role != 0 {
-		user.Role = portainer.UserRole(payload.Role)
-	}
-
 	if payload.UserTheme != "" {
 		user.UserTheme = payload.UserTheme
 	}
 
+	if payload.Role != 0 {
+		user.Role = portainer.UserRole(payload.Role)
+		user.TokenIssueAt = time.Now().Unix()
+	}
+
 	err = handler.DataStore.User().UpdateUser(user.ID, user)
 	if err != nil {
 		return httperror.InternalServerError("Unable to persist user changes inside the database", err)

app/portainer/services/stateManager.js

@@ -52,6 +52,9 @@ function StateManagerFactory(
   };
 
   manager.resetPasswordChangeSkips = function (userID) {
+    if (!state.UI.timesPasswordChangeSkipped) {
+      return;
+    }
     if (state.UI.timesPasswordChangeSkipped[userID]) state.UI.timesPasswordChangeSkipped[userID] = 0;
     LocalStorage.storeUIState(state.UI);
   };