Whenever I edit a user's role, the user needs to logout and log back in to see the changes. There's no problem when promoting a user as they just won't see the extra permissions until signing in again. However, when a demotion was to occur, a user will still keep its existing role which impose security risks. Imagine revoking admin user on a rogue employee, and still have them be able to do anything (eg. sabotaging the system) until they log out!
Is it possible to invalidate all sessions or tokens that are related to a specific user? If there is another way to dynamically update the roles of a user without logging them out, I would love to hear it!
Just to make it clear, I'm not trying to invalidate the currently logged in user's session/token.
Thanks in advance!
