From ec002004113dbf2ecd16ebd6fa952c26409a5afa Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Sat, 5 Dec 2020 16:20:29 +0100
Subject: [PATCH] fix bug #3189: fix change_password permission checks, run
 protected

---
 src/api2/access.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api2/access.rs b/src/api2/access.rs
index 3b59b3d3..2f7fb6ec 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -181,6 +181,7 @@ fn create_ticket(
 }
 
 #[api(
+    protected: true,
     input: {
         properties: {
             userid: {
@@ -195,7 +196,6 @@ fn create_ticket(
         description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
         permission: &Permission::Anybody,
     },
-
 )]
 /// Change user password
 ///
@@ -215,7 +215,7 @@ fn change_password(
 
     let mut allowed = userid == current_user;
 
-    if userid == "root@pam" { allowed = true; }
+    if current_user == "root@pam" { allowed = true; }
 
     if !allowed {
         let user_info = CachedUserInfo::new()?;