From b3f3bd394ebcc7a34face6ae3b2490c7cf950e9c Mon Sep 17 00:00:00 2001
From: Mike Johnston <mike@nervesocket.com>
Date: Fri, 20 Mar 2026 22:17:50 -0400
Subject: [PATCH] fix stale auth permisisons

---
 src/middleware/auth.js | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/middleware/auth.js b/src/middleware/auth.js
index a7c7685..969d9f6 100644
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -33,10 +33,23 @@ function requireOrganizerOrAdmin(req, res, next) {
 
 function loadUser(req, res, next) {
   if (req.session && req.session.userId) {
+    // Refresh roles from DB on every request to catch admin changes
+    const { Users } = require('../models');
+    const user = Users.findById(req.session.userId);
+    if (!user) {
+      // User was deleted — destroy session
+      return req.session.destroy(() => {
+        res.locals.currentUser = null;
+        next();
+      });
+    }
+    req.session.isAdmin = !!user.is_admin;
+    req.session.isOrganizer = !!user.is_organizer;
+    req.session.displayName = user.display_name || user.username;
     res.locals.currentUser = {
       id: req.session.userId,
       username: req.session.username,
-      displayName: req.session.displayName || req.session.username,
+      displayName: req.session.displayName,
       isAdmin: req.session.isAdmin,
       isOrganizer: req.session.isOrganizer
     };