Closed lukeshafer closed 1 year ago
If someone's admin rights are removed, they will not be logged out automatically. We want to either:
Check on every request and invalidate the session if needed Check on every write request, return unauthorized + invalidate cookie
The latter seems more secure AND simpler so will likely do that.
If someone's admin rights are removed, they will not be logged out automatically. We want to either:
Check on every request and invalidate the session if needed Check on every write request, return unauthorized + invalidate cookie
The latter seems more secure AND simpler so will likely do that.