Passed user objects are not reloaded form database during CRUD operations

[helkv]

Testserver: qa imeji
Browser: ff
Version: 4.6 - build date 2019-08-30 12:57:36
User: Admin & User

Passed user objects are not reloaded form database when CRUD operations are executed.

When authorization is checked during a CRUD operation the grants of the passed session user object are used.
Outdated grants are used for the authorization check, if the user grants have changed but the session user was not updated.

Actions:

1. Login as user
2. Login as admin [parallel in another browser/session]
3. Open edit item view of an item (as user)
4. Remove the edit grant from the user for this item/collection (as admin)
5. Edit and save the item (as user)
6. The user can still save the changes and the item gets updated, although the user has no more rights to edit the item

Expected (result): User grants should be reloaded from DB before/in the authorization-check => user can make changes only on the basis of his current DB grants, even if his session grants are outdated.