I'm building an application where a user with the 'Admin' user role can access a screen that lets them modify the user roles for all other users.

The challenge I'm facing is that when the Admin changes the roles for any user with an active session, the role change does not seem to reflect until the modified user logs out and logs back in, or their session expires.

How can I force the user roles to refresh so that the role update takes effect instantly?


Edit: Adding some additional information: I am using persistent roles, and the user authentication is handled externally (outside my application). The user roles are of course, granted/revoked at application level.

HI Saransh,

well in any way you need to refresh the page for the user. Having said that you can call a method in preparation of every page to call upon a soap call that calls upon and execute a function that explicitly login again with using the system login function. in that way all the roles will be refreshed from the scratch and the user will reflect with the updated permission without having to logout.

hope this helps !


Interesting question, Saransh.

In fact, the behaviour you described is exactly what happens. And I don't know if there is a way to "force" the new role to be recognized without login/logout or without dealing directly with the user_effectve_role system entity, checking the role in the preparation and raising exception if not allowed. This way you can dynamically recognize roles.

Another options would be to use Non Persistent roles...

Hope this helps.

Eduardo Jauch


For future users looking at this thread, Eduardo's suggestion of checking the role in preparation and handling accordingly may be a valid solution.

For my particular use case, the effort to implement it did not seem worthwhile.

That being said, I believe the best way to proceed in such a scenario would probably be to extend the existing user-roles system. The inbuilt role management does not seem well suited to handle such cases.


How about the menu item if it’s enclose with if statement that checks if the Role is admin. I still need to logout and login again to see the effect if there’s any changes in other roles. 

Or should I not use the checkAdminRole of the system and just use the entity role for my if statements?


After assigning the role, user_logout and user_login function can be used for the same. If you dont logoput and login then the role will be effected from the next session.