diff --git a/internal/api/users_update.go b/internal/api/users_update.go index 2836aaafe..596945414 100644 --- a/internal/api/users_update.go +++ b/internal/api/users_update.go @@ -78,11 +78,13 @@ func UpdateUser(router *gin.RouterGroup) { // Log event. event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "updated"}, s.RefID) - // Delete sessions after privilege level change. - if s.User().UserUID != m.UID() && isPrivileged { - // see https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change + // Delete user sessions after a permission level change. + // see https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change + if isPrivileged { + // Prevent the current session from being deleted. + deleted := m.DeleteSessions([]string{s.ID}) event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "invalidated %s"}, s.RefID, - english.Plural(m.DeleteSessions(nil), "session", "sessions")) + english.Plural(deleted, "session", "sessions")) } // Clear the session cache. diff --git a/internal/entity/auth_user.go b/internal/entity/auth_user.go index 9f0f2e1e2..23de7708c 100644 --- a/internal/entity/auth_user.go +++ b/internal/entity/auth_user.go @@ -740,8 +740,16 @@ func (m *User) DeleteSessions(omit []string) (deleted int) { return 0 } + // Compose update statement. + stmt := Db() + // Find all user sessions except the session ids passed as argument. - stmt := Db().Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit) + if len(omit) == 0 { + stmt = stmt.Where("user_uid = ?", m.UserUID) + } else { + stmt = stmt.Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit) + } + sess := Sessions{} if err := stmt.Find(&sess).Error; err != nil {