Only refresh session if updating own password (#15426)

Fixes bug where creating a new user will request a new awx_sessionid cookie, invalidating the previous session. Do not refresh session if updating or creating a password for a different user. Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-03-05 18:51:06 -03:30 · 2024-08-07 17:04:19 -04:00
parent 37b7a69303
commit 73b1536356
2 changed files with 24 additions and 1 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1038,7 +1038,9 @@ class UserSerializer(BaseSerializer):
            # as the modified user then inject a session key derived from
            # the updated user to prevent logout. This is the logic used by
            # the Django admin's own user_change_password view.
-            update_session_auth_hash(self.context['request'], obj)
+            if self.instance and self.context['request'].user.username == obj.username:
+                update_session_auth_hash(self.context['request'], obj)
+
        elif not obj.password:
            obj.set_unusable_password()
            obj.save(update_fields=['password'])