Role changes don't reflect instantly?

Hello,

I am using Directus for a site where users can log in. When I change a user’s role from one with lots of permissions to one with less permissions, it seems the user can still do everything from their previous role with their access token until they log out and back in again and get a fresh access token.

Firstly, I was wondering: Is this intended behavior? It’s a huge security concern after all!
Secondly, is there any workaround to solve this? Can I force a user to acquire a new token for example?

1 Like

Are you using the App Studio? or users are logging into a custom frontend?

Asked our team on this and it sounds potentially like you might be experiencing a caching issue. It’s definitely not the default behavior.

If you make a change to a users access, as soon as that user navigates inside the App Studio - the changes are reflected.

If it is on the API side where you’re having the issue, I’d definitely take a look at your caching setup.