From 4da6e6fb5fb4a0fc16ca06a8536f11123d7a4349 Mon Sep 17 00:00:00 2001
From: Kilian Hofmann <llego03@yahoo.com>
Date: Tue, 30 Jul 2024 21:25:05 +0200
Subject: [PATCH] Permission change session invalidation

---
 exam/classes/Models/User/User.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/exam/classes/Models/User/User.php b/exam/classes/Models/User/User.php
index 84b5fb3..b801829 100644
--- a/exam/classes/Models/User/User.php
+++ b/exam/classes/Models/User/User.php
@@ -619,7 +619,19 @@ class User implements JsonSerializable
     $failed = [];
     $reasons = [];
     if (isset($isAdmin)) {
-      $stmt = $db->prepare("UPDATE egb_benutzer SET isadmin = :ADM WHERE id = :ID");
+      // Clear tokens to revoke access if logged in
+      $stmt = $db->prepare(
+        "UPDATE
+          egb_benutzer
+        SET
+          isadmin = :ADM,
+          token = NULL,
+          tokenExpiry = NULL,
+          refreshToken = NULL,
+          refreshExpiry = NULL
+        WHERE
+          id = :ID"
+      );
       $stmt->bindValue(":ADM", $isAdmin);
       $stmt->bindValue(":ID", $this->id);
       try {