@Summary Update user password @ID update-user-password @Security CoderSessionToken @Accept json @Tags Users @Param user path string true "User ID, name, or me" @Param request body codersdk.UpdateUserPasswordRequest true "Update password request" @Success 204 @Router /api/v2/users/{user}/password [pu
(rw http.ResponseWriter, r *http.Request)
| 1575 | // @Success 204 |
| 1576 | // @Router /api/v2/users/{user}/password [put] |
| 1577 | func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) { |
| 1578 | var ( |
| 1579 | ctx = r.Context() |
| 1580 | user = httpmw.UserParam(r) |
| 1581 | params codersdk.UpdateUserPasswordRequest |
| 1582 | apiKey = httpmw.APIKey(r) |
| 1583 | auditor = *api.Auditor.Load() |
| 1584 | aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{ |
| 1585 | Audit: auditor, |
| 1586 | Log: api.Logger, |
| 1587 | Request: r, |
| 1588 | Action: database.AuditActionWrite, |
| 1589 | }) |
| 1590 | ) |
| 1591 | defer commitAudit() |
| 1592 | aReq.Old = user |
| 1593 | |
| 1594 | if !api.Authorize(r, policy.ActionUpdatePersonal, user) { |
| 1595 | httpapi.ResourceNotFound(rw) |
| 1596 | return |
| 1597 | } |
| 1598 | |
| 1599 | // Only owners can change the password of another owner. |
| 1600 | if apiKey.UserID != user.ID && slices.Contains(user.RBACRoles, rbac.RoleOwner().String()) { |
| 1601 | actingUser, err := api.Database.GetUserByID(ctx, apiKey.UserID) |
| 1602 | if err != nil { |
| 1603 | httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ |
| 1604 | Message: "Internal error fetching acting user.", |
| 1605 | Detail: err.Error(), |
| 1606 | }) |
| 1607 | return |
| 1608 | } |
| 1609 | if !slices.Contains(actingUser.RBACRoles, rbac.RoleOwner().String()) { |
| 1610 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 1611 | Message: "Only owners can change the password of an owner.", |
| 1612 | }) |
| 1613 | return |
| 1614 | } |
| 1615 | } |
| 1616 | |
| 1617 | if !httpapi.Read(ctx, rw, r, ¶ms) { |
| 1618 | return |
| 1619 | } |
| 1620 | |
| 1621 | if user.LoginType != database.LoginTypePassword { |
| 1622 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 1623 | Message: "Users without password login type cannot change their password.", |
| 1624 | }) |
| 1625 | return |
| 1626 | } |
| 1627 | |
| 1628 | // A user need to put its own password to update it |
| 1629 | if apiKey.UserID == user.ID && params.OldPassword == "" { |
| 1630 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 1631 | Message: "Old password is required.", |
| 1632 | }) |
| 1633 | return |
| 1634 | } |
nothing calls this directly
no test coverage detected