TBD Description
In web services rest we have an end point to support the change password feature for authorized user. But the end point is not accepting old password to verify the user, who has requested for change password is authorized or not. So we are planning to fix that.
Please refer to the following link for more information.
https://talk.openmrs.org/t/rest-should-require-you-to-send-the-old-password-when-updating-your-password/9316
Dev Notes
This should behave similarly to how changing a password works in the underlying Java API:
- Anyone can change their own password (and must give their old password to do so) via https://github.com/openmrs/openmrs-core/blob/2.0.2/api/src/main/java/org/openmrs/api/UserService.java#L313
- A superuser (or technically anyone with the "Edit User Passwords" privilege) can change anyone's password without needing to provide the old password via https://github.com/openmrs/openmrs-core/blob/2.0.2/api/src/main/java/org/openmrs/api/UserService.java#L324
