Permission expiry

[jdabtieu]

Currently, permissions are cached indefinitely in a logged in user's session. This means that if permissions are added or removed, they don't actually take effect unless the user logs out and then back in. At best, it's inconvenient, and at worst, it's dangerous.

The cache should be repopulated every 5? 10? minutes (striking a good balance with performance). Should it also be repopulated for important actions? e.g. changing other permissions, or all POST actions, or...? Maybe, but we have to consider the performance implications.