From 422ec069616095acac4b66054f4d2cb39c0ca2f6 Mon Sep 17 00:00:00 2001
From: Kevin Roast <kevin.roast@alfresco.com>
Date: Mon, 29 Jun 2009 19:28:36 +0000
Subject: [PATCH] Fix for ALFCOM-3086 - admin enforced to enter an old password
 when changing their own password.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15017 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../alfresco/repo/web/scripts/person/ChangePasswordPost.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source/java/org/alfresco/repo/web/scripts/person/ChangePasswordPost.java b/source/java/org/alfresco/repo/web/scripts/person/ChangePasswordPost.java
index d5862f0731..6261663a10 100644
--- a/source/java/org/alfresco/repo/web/scripts/person/ChangePasswordPost.java
+++ b/source/java/org/alfresco/repo/web/scripts/person/ChangePasswordPost.java
@@ -94,7 +94,7 @@ public class ChangePasswordPost extends DeclarativeWebScript
             
             // admin users can change/set a password without knowing the old one
             boolean isAdmin = authorityService.hasAdminAuthority();
-            if (!isAdmin)
+            if (!isAdmin || (userName.equalsIgnoreCase(authenticationService.getCurrentUserName())))
             {
                 if (!json.has(PARAM_OLDPW) || json.getString(PARAM_OLDPW).length() == 0)
                 {
@@ -111,7 +111,8 @@ public class ChangePasswordPost extends DeclarativeWebScript
             newPassword = json.getString(PARAM_NEWPW);
             
             // update the password
-            if (!isAdmin)
+            // an Admin user can update without knowing the original pass - but must know their own!
+            if (!isAdmin || (userName.equalsIgnoreCase(authenticationService.getCurrentUserName())))
             {
                 authenticationService.updateAuthentication(userName, oldPassword.toCharArray(), newPassword.toCharArray());
             }