Auth: Delete user sessions after a permission level change #3512

Signed-off-by: Michael Mayer <michael@photoprism.app>

internal/api/users_update.go

@@ -78,11 +78,13 @@ func UpdateUser(router *gin.RouterGroup) {
 		// Log event.
 		event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "updated"}, s.RefID)
 
-		// Delete sessions after privilege level change.
+		// Delete user sessions after a permission level change.
-		if s.User().UserUID != m.UID() && isPrivileged {
 		// see https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
+		if isPrivileged {
+			// Prevent the current session from being deleted.
+			deleted := m.DeleteSessions([]string{s.ID})
 			event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "invalidated %s"}, s.RefID,
-				english.Plural(m.DeleteSessions(nil), "session", "sessions"))
+				english.Plural(deleted, "session", "sessions"))
 		}
 
 		// Clear the session cache.

internal/entity/auth_user.go

@@ -740,8 +740,16 @@ func (m *User) DeleteSessions(omit []string) (deleted int) {
 		return 0
 	}
 
+	// Compose update statement.
+	stmt := Db()
+
 	// Find all user sessions except the session ids passed as argument.
-	stmt := Db().Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit)
+	if len(omit) == 0 {
+		stmt = stmt.Where("user_uid = ?", m.UserUID)
+	} else {
+		stmt = stmt.Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit)
+	}
+
 	sess := Sessions{}
 
 	if err := stmt.Find(&sess).Error; err != nil {