Role changes don't reflect instantly?

CRUGG · July 1, 2025, 1:53pm

Hello,

I am using Directus for a site where users can log in. When I change a user’s role from one with lots of permissions to one with less permissions, it seems the user can still do everything from their previous role with their access token until they log out and back in again and get a fresh access token.

Firstly, I was wondering: Is this intended behavior? It’s a huge security concern after all!
Secondly, is there any workaround to solve this? Can I force a user to acquire a new token for example?

bryantgillespie · July 1, 2025, 3:35pm

Are you using the App Studio? or users are logging into a custom frontend?

Asked our team on this and it sounds potentially like you might be experiencing a caching issue. It’s definitely not the default behavior.

If you make a change to a users access, as soon as that user navigates inside the App Studio - the changes are reflected.

If it is on the API side where you’re having the issue, I’d definitely take a look at your caching setup.

Topic		Replies	Views
Clarification on Policy Order, Parent Roles, and User-Specific Permissions Help	0	15	June 25, 2025
Multi-tenant, Different roles per tenant Help data-modeling , permissions , authentication	4	78	May 21, 2025
Refresh Token not received on login Help	2	39	June 20, 2025
Best place to put refresh logic/authentication logic with the SDK Help	1	63	May 2, 2025
Replicated Postgres Help	1	27	June 14, 2025

Role changes don't reflect instantly?

Related topics