Clear session of user on permission change

e-valuation / EvaP

a university course evaluation system written in Python using Django

Other

95 stars 144 forks source link

Clear session of user on permission change #2205

Open janno42 opened 4 months ago

janno42 commented 4 months ago

When removing manager or reviewer permissions from a user, that user's session should be cleared. Currently, logging in with a user who was a reviewer and previously used Staff mode fails with an AssertionError:

File "/opt/evap/evap/staff/staff_mode.py", line 56, in update_staff_mode
    assert request.user.has_staff_permission

richardebeling commented 4 months ago

I guess it would suffice to just reset the attribute in the session that determines whether staff mode is active, so they don't have to log in again?

niklasmohrin commented 4 months ago

Or would it be better to make the middleware redirect them to normal mode if they don't have the permission (anymore) ?