Permission change session invalidation

exam/classes/Models/User/User.php

@@ -619,7 +619,19 @@ class User implements JsonSerializable
     $failed = [];
     $reasons = [];
     if (isset($isAdmin)) {
-      $stmt = $db->prepare("UPDATE egb_benutzer SET isadmin = :ADM WHERE id = :ID");
+      // Clear tokens to revoke access if logged in
+      $stmt = $db->prepare(
+        "UPDATE
+          egb_benutzer
+        SET
+          isadmin = :ADM,
+          token = NULL,
+          tokenExpiry = NULL,
+          refreshToken = NULL,
+          refreshExpiry = NULL
+        WHERE
+          id = :ID"
+      );
       $stmt->bindValue(":ADM", $isAdmin);
       $stmt->bindValue(":ID", $this->id);
       try {