Destroy user token when changing its role

1 files changed, 7 insertions, 0 deletions

diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index aced4639e..79bb2665d 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -19,6 +19,7 @@ import {
 import { usersUpdateMyAvatarValidator, videosSortValidator } from '../../middlewares/validators'
 import { AccountVideoRateModel } from '../../models/account/account-video-rate'
 import { UserModel } from '../../models/account/user'
+import { OAuthTokenModel } from '../../models/oauth/oauth-token'
 import { VideoModel } from '../../models/video/video'
 
 const reqAvatarFile = createReqFiles('avatarfile', CONFIG.STORAGE.AVATARS_DIR, AVATAR_MIMETYPE_EXT)
@@ -288,6 +289,7 @@ async function updateMyAvatar (req: express.Request, res: express.Response, next
 async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) {
   const body: UserUpdate = req.body
   const user = res.locals.user as UserModel
+  const roleChanged = body.role !== undefined && body.role !== user.role
 
   if (body.email !== undefined) user.email = body.email
   if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota
@@ -295,6 +297,11 @@ async function updateUser (req: express.Request, res: express.Response, next: ex
 
   await user.save()
 
+  // Destroy user token to refresh rights
+  if (roleChanged) {
+    await OAuthTokenModel.deleteUserToken(user.id)
+  }
+
   // Don't need to send this update to followers, these attributes are not propagated
 
   return res.sendStatus(204)