diff --git a/Jellyfin.Api/Controllers/UserController.cs b/Jellyfin.Api/Controllers/UserController.cs
index 6fb295eb89..25dc6a785c 100644
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@@ -282,17 +282,20 @@ namespace Jellyfin.Api.Controllers
}
else
{
- var success = await _userManager.AuthenticateUser(
- user.Username,
- request.CurrentPw,
- request.CurrentPw,
- HttpContext.GetNormalizedRemoteIp().ToString(),
- false,
- ignoreParentalSchedule: true).ConfigureAwait(false);
-
- if (success == null)
+ if (await RequestHelpers.IsUserAdministrator(_authContext, HttpContext.Request).ConfigureAwait(false))
{
- return StatusCode(StatusCodes.Status403Forbidden, "Invalid user or password entered.");
+ var success = await _userManager.AuthenticateUser(
+ user.Username,
+ request.CurrentPw,
+ request.CurrentPw,
+ HttpContext.GetNormalizedRemoteIp().ToString(),
+ false,
+ ignoreParentalSchedule: true).ConfigureAwait(false);
+
+ if (success == null)
+ {
+ return StatusCode(StatusCodes.Status403Forbidden, "Invalid user or password entered.");
+ }
}
await _userManager.ChangePassword(user, request.NewPw).ConfigureAwait(false);
diff --git a/Jellyfin.Api/Helpers/RequestHelpers.cs b/Jellyfin.Api/Helpers/RequestHelpers.cs
index 20427d7fab..f79a301341 100644
--- a/Jellyfin.Api/Helpers/RequestHelpers.cs
+++ b/Jellyfin.Api/Helpers/RequestHelpers.cs
@@ -76,6 +76,18 @@ namespace Jellyfin.Api.Helpers
return true;
}
+ ///
+ /// Checks if the user is administrator.
+ ///
+ /// Instance of the interface.
+ /// The .
+ /// A whether the user can update the entry.
+ internal static async Task IsUserAdministrator(IAuthorizationContext authContext, HttpRequest requestContext)
+ {
+ var auth = await authContext.GetAuthorizationInfo(requestContext).ConfigureAwait(false);
+ return auth.User.HasPermission(PermissionKind.IsAdministrator);
+ }
+
internal static async Task GetSession(ISessionManager sessionManager, IAuthorizationContext authContext, HttpRequest request)
{
var authorization = await authContext.GetAuthorizationInfo(request).ConfigureAwait(false);