From 1dddd818dd36fcd44e593f5ed30881dda573d36f Mon Sep 17 00:00:00 2001
From: Arik Fraimovich <arik@arikfr.com>
Date: Tue, 5 Feb 2019 13:50:26 +0200
Subject: [PATCH] Fix: only login user when it's the current user.

Otherwise it would login the admin as the user...
---
 redash/handlers/users.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/redash/handlers/users.py b/redash/handlers/users.py
index 0e373cc864..7b88b517e2 100644
--- a/redash/handlers/users.py
+++ b/redash/handlers/users.py
@@ -216,7 +216,8 @@ def post(self, user_id):
             # The user has updated their email or password. This should invalidate all _other_ sessions,
             # forcing them to log in again. Since we don't want to force _this_ session to have to go
             # through login again, we call `login_user` in order to update the session with the new identity details.
-            login_user(user, remember=True)
+            if current_user.id == user.id:
+                login_user(user, remember=True)
         except IntegrityError as e:
             if "email" in e.message:
                 message = "Email already taken."