From 6e121bf2d80b5219af7a7c7b6055b370aa43c36c Mon Sep 17 00:00:00 2001
From: Colin Okay <okay@toyful.space>
Date: Thu, 24 Mar 2022 16:38:57 -0500
Subject: [bugfix] Admins can change passwords without knowing current password

---
 src/main.lisp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main.lisp b/src/main.lisp
index 2db13a4..abf5405 100644
--- a/src/main.lisp
+++ b/src/main.lisp
@@ -665,8 +665,9 @@ is an API Access token."
   (unless (or (eq who (api-contributor token))
               (adminp (api-contributor token)))
     (http-err 403 "Cannot change that password."))
-  (unless (is-current-password-p who current)
-    (http-err 400 "The old password is incorrect."))
+  (unless (or (adminp (api-contributor token))
+              (is-current-password-p who current))
+    (http-err 400 "The old password is incorrect"))
   (unless (equalp value repeated)
     (http-err 400 "The two passwords do not match."))
   (update-password who value)
-- 
cgit v1.2.3