From 034157be9a808d479d43489c93f344a9708e2bf6 Mon Sep 17 00:00:00 2001
From: Matt Hook <hookenz@gmail.com>
Date: Mon, 18 Sep 2023 12:29:12 +1200
Subject: [PATCH] improved user update validation (#10322)

---
 api/http/handler/users/user_update.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/api/http/handler/users/user_update.go b/api/http/handler/users/user_update.go
index cbe265782..6fa916987 100644
--- a/api/http/handler/users/user_update.go
+++ b/api/http/handler/users/user_update.go
@@ -113,6 +113,14 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 		user.Username = payload.Username
 	}
 
+	if payload.Password != "" && payload.NewPassword == "" {
+		if tokenData.Role == portainer.AdministratorRole {
+			return httperror.BadRequest("Existing password field specified without new password field.", errors.New("To change the password as an admin, you only need 'newPassword' in your request"))
+		}
+
+		return httperror.BadRequest("Existing password field specified without new password field.", errors.New("To change the password, you must include both 'password' and 'newPassword' in your request"))
+	}
+
 	if payload.NewPassword != "" {
 		// Non-admins need to supply the previous password
 		if tokenData.Role != portainer.AdministratorRole {