Fix: only login user when it's the current user. (#3396)

Otherwise it would login the admin as the user...
getredash · Feb 5, 2019 · 7cfea8a · 7cfea8a
1 parent 2011864
commit 7cfea8a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/redash/handlers/users.py b/redash/handlers/users.py
@@ -216,7 +216,8 @@ def post(self, user_id):
             # The user has updated their email or password. This should invalidate all _other_ sessions,
             # forcing them to log in again. Since we don't want to force _this_ session to have to go
             # through login again, we call `login_user` in order to update the session with the new identity details.
-            login_user(user, remember=True)
+            if current_user.id == user.id:
+                login_user(user, remember=True)
         except IntegrityError as e:
             if "email" in e.message:
                 message = "Email already taken."