From 625c17db306bb4501d0c27642cdef002eb5ce481 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sun, 3 May 2020 20:47:25 -0400
Subject: [PATCH] Invalidate any previously cached attributes on user login

---
 CTFd/utils/security/auth.py |  4 ++++
 tests/cache/test_cache.py   | 12 ------------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/CTFd/utils/security/auth.py b/CTFd/utils/security/auth.py
index d008e75c..9692e845 100644
--- a/CTFd/utils/security/auth.py
+++ b/CTFd/utils/security/auth.py
@@ -3,6 +3,7 @@ import os
 
 from flask import session
 
+from CTFd.cache import clear_user_session
 from CTFd.exceptions import UserNotFoundException, UserTokenExpiredException
 from CTFd.models import UserTokens, db
 from CTFd.utils.encoding import hexencode
@@ -15,6 +16,9 @@ def login_user(user):
     session["email"] = user.email
     session["nonce"] = generate_nonce()
 
+    # Clear out any currently cached user attributes
+    clear_user_session(user_id=user.id)
+
 
 def logout_user():
     session.clear()
diff --git a/tests/cache/test_cache.py b/tests/cache/test_cache.py
index 0d011335..c4fe447a 100644
--- a/tests/cache/test_cache.py
+++ b/tests/cache/test_cache.py
@@ -28,18 +28,6 @@ def test_clear_user_session():
         user.type = "admin"
         app.db.session.commit()
 
-        # The user shouldn't be considered admin because their type is still cached
-        user = Users.query.filter_by(id=2).first()
-        with app.test_request_context("/"):
-            login_user(user)
-            user = get_current_user()
-            assert user.id == 2
-            assert user.type == "admin"
-            assert is_admin() is False
-
-        # Clear the user's cached session (for now just the type)
-        clear_user_session(user_id=2)
-
         # The user's type should now be admin
         user = Users.query.filter_by(id=2).first()
         with app.test_request_context("/"):