Invalidate any previously cached attributes on user login

2025-12-18 14:34:21 +01:00 · 2020-05-03 20:47:25 -04:00
parent 7779175eea
commit 625c17db30
2 changed files with 4 additions and 12 deletions
--- a/CTFd/utils/security/auth.py
+++ b/CTFd/utils/security/auth.py
@@ -3,6 +3,7 @@ import os
 from flask import session
 from CTFd.cache import clear_user_session
 from CTFd.exceptions import UserNotFoundException, UserTokenExpiredException
 from CTFd.models import UserTokens, db
 from CTFd.utils.encoding import hexencode
@@ -15,6 +16,9 @@ def login_user(user):
    session["email"] = user.email
    session["nonce"] = generate_nonce()
    # Clear out any currently cached user attributes
    clear_user_session(user_id=user.id)
 def logout_user():
    session.clear()
--- a/tests/cache/test_cache.py
+++ b/tests/cache/test_cache.py
@@ -28,18 +28,6 @@ def test_clear_user_session():
        user.type = "admin"
        app.db.session.commit()
        # The user shouldn't be considered admin because their type is still cached
        user = Users.query.filter_by(id=2).first()
        with app.test_request_context("/"):
            login_user(user)
            user = get_current_user()
            assert user.id == 2
            assert user.type == "admin"
            assert is_admin() is False
        # Clear the user's cached session (for now just the type)
        clear_user_session(user_id=2)
        # The user's type should now be admin
        user = Users.query.filter_by(id=2).first()
        with app.test_request_context("/"):