From bbe0d22ade159873ad8ad8c12b0c20929788d8f5 Mon Sep 17 00:00:00 2001
From: Joshua Toliver <jtoliver@quoininc.com>
Date: Fri, 6 Dec 2024 15:20:11 -0500
Subject: [PATCH] Fixing issue where changing password on another user changes
 the session

---
 app/controllers/api/v2/users_controller.rb    |  2 +-
 spec/requests/api/v2/users_controller_spec.rb | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v2/users_controller.rb b/app/controllers/api/v2/users_controller.rb
index 574b8130d6..552ea5e8b7 100644
--- a/app/controllers/api/v2/users_controller.rb
+++ b/app/controllers/api/v2/users_controller.rb
@@ -76,6 +76,6 @@ def identity_sync
   end
 
   def keep_user_signed_in
-    bypass_sign_in(@user) if @user.saved_change_to_encrypted_password?
+    bypass_sign_in(@user) if @user.saved_change_to_encrypted_password? && current_user == @user
   end
 end
diff --git a/spec/requests/api/v2/users_controller_spec.rb b/spec/requests/api/v2/users_controller_spec.rb
index 01c2485f3e..6358286fc9 100644
--- a/spec/requests/api/v2/users_controller_spec.rb
+++ b/spec/requests/api/v2/users_controller_spec.rb
@@ -682,6 +682,21 @@
       expect(controller.current_user).to eq(@user_d)
     end
 
+    it 'does not change logged in user session when password changed on another user' do
+      sign_in(@super_user)
+      params = {
+        data: {
+          password: 'primer0!',
+          password_confirmation: 'primer0!'
+        }
+      }
+      patch("/api/v2/users/#{@user_c.id}", params:)
+      expect(response).to have_http_status(200)
+      get('/api/v2/roles')
+      expect(response).to have_http_status(200)
+      expect(controller.current_user).to eq(@super_user)
+    end
+
     it "returns 403 if user isn't authorized to update users" do
       login_for_test
       params = {