Whenever I edit the user role, the user needs to log out and log in to view the changes. There is no problem promoting the user, as they simply do not see additional permissions until they re-enter the system. However, when a demotion should occur, the user will still retain his existing role, which imposes security risks. Imagine that you are canceling an administrator user from a rogue employee and you can still do something for them (for example, sabotaging the system) until they log out!
Is it possible to cancel all sessions or tokens related to a specific user? If there is another way to dynamically update user roles without unloading them, I would love to hear that!
Just to make everything clear, I'm not trying to nullify the user's current session / token.
Thanks in advance!
source share