fix: exit reset password request before passwords are compared (#13856)

2025-07-03 16:13:58 +00:00 · 2024-07-09 14:28:39 -05:00
parent 3894ae17a7
commit d50ffa78f6
5 changed files with 47 additions and 4 deletions
--- a/coderd/users.go
+++ b/coderd/users.go
@ -913,6 +913,11 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 	defer commitAudit()
 	aReq.Old = user

+	if !api.Authorize(r, policy.ActionUpdatePersonal, user) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
 	if !httpapi.Read(ctx, rw, r, &params) {
 		return
 	}