When changing the groups of my current user (also the admin) by adding him to a new group, this fact was not registered by pages until after I logged out and back in again.
I was using the ifauth plugin (which uses aclquickcheck) to determine if I was in the new group, and this was not correctly identified until after I relogged. I feel group and ACL changes should take immediate effect.
I agree: ACL or user changes should take effect immediately and not need to logout and login again. This is rather a feature request than a bug.
Thanks for your report
(imho) definitely a bug.
There is a second side effect of the same code that causes the above. If a user's password is changed (perhaps because it has been compromised) any valid session using the old password & cookie will be authenticated by DW. That is, if someone has managed to access the wiki using an account which doesn't belong to them, they will be able to continue to access the wiki under that account as long as they keep the session current, irregardless that the admin has changed the account password.
I'll push a patch to fix this.
Could we imagine some kind of special file (meta/_users/username ?) which DokuWiki would care of and if existing (user change) would reset the authentication (and/or cookie) of the user? That could also be a way to forbid any user login in case of maintenance work on a wiki.