[ticket/9526] If an admin changes a user's 'user_allow_viewonline' flag to 'hide me' the admin usually wants that user to be hidden immediately. We therefore have to update his session if one exists.

In the UCP this is not necessary, because there is code in $user->setup() that updates the session table on the next page reload.

Since we cannot tell if the user generally wants to be hidden or the user only wants to be hidden for one session, we only update the session table when setting the flag to 'hide me', but not 'show me' - equivalent to how it works in the UCP.

If the user is a bot we however also update the session when setting the flag to 'show me' because bots cannot login at all.

PHPBB3-9526

phpBB/includes/acp/acp_users.php

@@ -1550,6 +1550,31 @@ class acp_users
 							WHERE user_id = $user_id";
 						$db->sql_query($sql);
 
+						// Check if user has an active session
+						if ($user_row['session_id'])
+						{
+							// We'll update the session if user_allow_viewonline has changed and the user is a bot
+							// Or if it's a regular user and the admin set it to hide the session
+							if ($user_row['user_allow_viewonline'] != $sql_ary['user_allow_viewonline'] && $user_row['user_type'] == USER_IGNORE
+								|| $user_row['user_allow_viewonline'] && !$sql_ary['user_allow_viewonline'])
+							{
+								// We also need to check if the user has the permission to cloak.
+								$user_auth = new auth();
+								$user_auth->acl($user_row);
+
+								$session_sql_ary = array(
+									'session_viewonline'	=> ($user_auth->acl_get('u_hideonline')) ? $sql_ary['user_allow_viewonline'] : true,
+								);
+
+								$sql = 'UPDATE ' . SESSIONS_TABLE . '
+									SET ' . $db->sql_build_array('UPDATE', $session_sql_ary) . "
+									WHERE session_user_id = $user_id";
+								$db->sql_query($sql);
+
+								unset($user_auth);
+							}
+						}
+
 						trigger_error($user->lang['USER_PREFS_UPDATED'] . adm_back_link($this->u_action . '&u=' . $user_id));
 					}