From 5f3dbd82942593352d1cad2f7f168ab1aabe8b70 Mon Sep 17 00:00:00 2001
From: David Ullmer <davidullmer@outlook.de>
Date: Mon, 4 Jul 2022 18:16:36 +0200
Subject: [PATCH] Allow administrator to always change password

---
 Jellyfin.Api/Controllers/UserController.cs | 23 ++++++++++++----------
 Jellyfin.Api/Helpers/RequestHelpers.cs     | 12 +++++++++++
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/Jellyfin.Api/Controllers/UserController.cs b/Jellyfin.Api/Controllers/UserController.cs
index 6fb295eb89..25dc6a785c 100644
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@@ -282,17 +282,20 @@ namespace Jellyfin.Api.Controllers
             }
             else
             {
-                var success = await _userManager.AuthenticateUser(
-                    user.Username,
-                    request.CurrentPw,
-                    request.CurrentPw,
-                    HttpContext.GetNormalizedRemoteIp().ToString(),
-                    false,
-                    ignoreParentalSchedule: true).ConfigureAwait(false);
-
-                if (success == null)
+                if (await RequestHelpers.IsUserAdministrator(_authContext, HttpContext.Request).ConfigureAwait(false))
                 {
-                    return StatusCode(StatusCodes.Status403Forbidden, "Invalid user or password entered.");
+                    var success = await _userManager.AuthenticateUser(
+                        user.Username,
+                        request.CurrentPw,
+                        request.CurrentPw,
+                        HttpContext.GetNormalizedRemoteIp().ToString(),
+                        false,
+                        ignoreParentalSchedule: true).ConfigureAwait(false);
+
+                    if (success == null)
+                    {
+                        return StatusCode(StatusCodes.Status403Forbidden, "Invalid user or password entered.");
+                    }
                 }
 
                 await _userManager.ChangePassword(user, request.NewPw).ConfigureAwait(false);
diff --git a/Jellyfin.Api/Helpers/RequestHelpers.cs b/Jellyfin.Api/Helpers/RequestHelpers.cs
index 20427d7fab..f79a301341 100644
--- a/Jellyfin.Api/Helpers/RequestHelpers.cs
+++ b/Jellyfin.Api/Helpers/RequestHelpers.cs
@@ -76,6 +76,18 @@ namespace Jellyfin.Api.Helpers
             return true;
         }
 
+        /// <summary>
+        /// Checks if the user is administrator.
+        /// </summary>
+        /// <param name="authContext">Instance of the <see cref="IAuthorizationContext"/> interface.</param>
+        /// <param name="requestContext">The <see cref="HttpRequest"/>.</param>
+        /// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
+        internal static async Task<bool> IsUserAdministrator(IAuthorizationContext authContext, HttpRequest requestContext)
+        {
+            var auth = await authContext.GetAuthorizationInfo(requestContext).ConfigureAwait(false);
+            return auth.User.HasPermission(PermissionKind.IsAdministrator);
+        }
+
         internal static async Task<SessionInfo> GetSession(ISessionManager sessionManager, IAuthorizationContext authContext, HttpRequest request)
         {
             var authorization = await authContext.GetAuthorizationInfo(request).ConfigureAwait(false);