Fix: only login user when it's the current user. (#3396)

Otherwise it would login the admin as the user...
2026-05-11 09:01:27 -04:00 · 2019-02-05 15:53:51 +02:00
parent 2011864fdb
commit 7cfea8a6a0
1 changed files with 2 additions and 1 deletions
--- a/redash/handlers/users.py
+++ b/redash/handlers/users.py
@@ -216,7 +216,8 @@ class UserResource(BaseResource):
            # The user has updated their email or password. This should invalidate all _other_ sessions,
            # forcing them to log in again. Since we don't want to force _this_ session to have to go
            # through login again, we call `login_user` in order to update the session with the new identity details.
-            login_user(user, remember=True)
+            if current_user.id == user.id:
+                login_user(user, remember=True)
        except IntegrityError as e:
            if "email" in e.message:
                message = "Email already taken."