From 0ddcad66f38059069665462b6efb020bcfd21df9 Mon Sep 17 00:00:00 2001
From: Dakota Walsh <101994734+dakota-portainer@users.noreply.github.com>
Date: Wed, 14 Dec 2022 10:12:00 +1300
Subject: [PATCH] fix(auth): invalidate session when permissions change EE-3320
 (#8103)

---
 api/http/handler/users/user_update.go  | 9 +++++----
 app/portainer/services/stateManager.js | 3 +++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/api/http/handler/users/user_update.go b/api/http/handler/users/user_update.go
index c7aba3c5f..5eae759aa 100644
--- a/api/http/handler/users/user_update.go
+++ b/api/http/handler/users/user_update.go
@@ -108,14 +108,15 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 		user.TokenIssueAt = time.Now().Unix()
 	}
 
-	if payload.Role != 0 {
-		user.Role = portainer.UserRole(payload.Role)
-	}
-
 	if payload.UserTheme != "" {
 		user.UserTheme = payload.UserTheme
 	}
 
+	if payload.Role != 0 {
+		user.Role = portainer.UserRole(payload.Role)
+		user.TokenIssueAt = time.Now().Unix()
+	}
+
 	err = handler.DataStore.User().UpdateUser(user.ID, user)
 	if err != nil {
 		return httperror.InternalServerError("Unable to persist user changes inside the database", err)
diff --git a/app/portainer/services/stateManager.js b/app/portainer/services/stateManager.js
index b3210182d..2e4577a5a 100644
--- a/app/portainer/services/stateManager.js
+++ b/app/portainer/services/stateManager.js
@@ -52,6 +52,9 @@ function StateManagerFactory(
   };
 
   manager.resetPasswordChangeSkips = function (userID) {
+    if (!state.UI.timesPasswordChangeSkipped) {
+      return;
+    }
     if (state.UI.timesPasswordChangeSkipped[userID]) state.UI.timesPasswordChangeSkipped[userID] = 0;
     LocalStorage.storeUIState(state.UI);
   };