API permissions don't update on-the-fly if values are changed in database

[rhigman]

This is an edge case, but probably worth investigating for the sake of consistency.

If a user's permissions are changed in the database while they are logged in to Thoth, the app view automatically updates on the next renew, however, any actions they attempt to take are subject to API checks based on their old permission set.

For example, if a user originally only has permissions for one publisher, but is then granted superuser permissions in the database, the next renew will cause the page they are on to refresh accordingly. If they are on a Work page viewing the Imprints dropdown, the list of available Imprints will expand to show the full set, not just ones linked to their original publisher. However, if the user then tries to select one of these newly available Imprints and save the Work, they will get an Invalid credentials error.

This cannot be fixed by refreshing the page or navigating back and forth between pages; the only fix appears to be logging out and logging back in again.

Debug logging in the API showed that the issue is caused by context.account_access still having the old permission set (the same is true of context.token), therefore API checks which use the context will fail incorrectly (or succeed incorrectly if the user's permission set has been newly restricted rather than newly expanded, although the app view reload should prevent these actions being reachable).

(Edited to add: the app view reload does not prevent a user that's just been demoted from superuser from creating new Publishers - so this is a prohibited action that is still reachable. One solution would be to disable the "New" button on the "Publishers" page for non-superusers.)