Description

User’s action is still vaild when admin changed privileges.

Proof of Concept

1. Admin create user1 and grant all privileges.

2. go into incognito mode and login as user1 then go to user list page.

3. admin create user2 and in user1 browser refresh the page to see user2.

4. Then admin remove some privileges of user 1 . But in user1 browser, user1 don’t refresh the page and user1 delete user2 and it valid.

// PoC.js
https://drive.google.com/file/d/1rHKktCLh42fPij_tg2yaEXNEOIKaerO2/view?usp=sharing