Only refresh session if updating own password (#15426) (#6653)

Fixes bug where creating a new user will request a new awx_sessionid cookie, invalidating the previous session. Do not refresh session if updating or creating a password for a different user. Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-03-06 03:01:06 -03:30 · 2024-09-03 10:54:13 -04:00
parent 15e28371eb
commit 2334211ba0
2 changed files with 24 additions and 1 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1039,7 +1039,9 @@ class UserSerializer(BaseSerializer):
            # as the modified user then inject a session key derived from
            # the updated user to prevent logout. This is the logic used by
            # the Django admin's own user_change_password view.
-            update_session_auth_hash(self.context['request'], obj)
+            if self.instance and self.context['request'].user.username == obj.username:
+                update_session_auth_hash(self.context['request'], obj)
+
        elif not obj.password:
            obj.set_unusable_password()
            obj.save(update_fields=['password'])