there is a bug in access control system using ACL. autorization and access control will not implemented on user log in and save in a way that user with any access, will have same access of previous login.
I have two users with diffirent access. for example one with full access named "Uber admin" and another with less access named "analyst".
when I log on with "Uber admin" then I log out, then I log on with "analyst", analyst user will have the same access of pervious user, it means analyst will have full access.
vice versa if I logon with analyst then I log out and log in with "Uber admin" I will have access of pervious user, it means Uberadmin will have less access such as analyst user.
I examined this problem with diffrent browsers and diffrent systems, problem persists! when log in another system with the user with wrong access , user still have wrong access.
Just when I restart CRITs server access controls will return to accurate ACL.
so access control of a user isn't associated to Username, session and IP address, why this problem appears and what is the solution ?