From f3a8ead621a6e931db9112ad0cbd3c3d2b60633b Mon Sep 17 00:00:00 2001
From: Tyler Kennedy <tk@tkte.ch>
Date: Tue, 1 Aug 2017 14:11:13 -0400
Subject: [PATCH] Do not require old password verification when current user is
 a sysadmin. Add an is_sysadmin template value for user_edit_form.html

---
 ckan/controllers/user.py                | 31 ++++++++++++++++++-------
 ckan/templates/user/edit_user_form.html |  2 ++
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 007dddb1580..ce3733d37e3 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -1,3 +1,4 @@
+# =*- coding: utf-8 -*-
 import logging
 
 from pylons import config
@@ -33,6 +34,10 @@
 unflatten = dictization_functions.unflatten
 
 
+def require_sudo_mode():
+    pass
+
+
 def set_repoze_user(user_id):
     '''Set the repoze.who cookie to match a given user_id'''
     if 'repoze.who.plugins' in request.environ:
@@ -277,6 +282,8 @@ def edit(self, id=None, data=None, errors=None, error_summary=None):
         except NotAuthorized:
             abort(401, _('Unauthorized to edit a user.'))
 
+        require_sudo_mode()
+
         if (context['save']) and not data:
             return self._save_edit(id, context)
 
@@ -305,12 +312,18 @@ def edit(self, id=None, data=None, errors=None, error_summary=None):
                   (str(c.user), id))
 
         errors = errors or {}
-        vars = {'data': data, 'errors': errors, 'error_summary': error_summary}
+        vars = {
+            'data': data,
+            'errors': errors,
+            'error_summary': error_summary,
+            'is_sysadmin': authz.is_sysadmin(c.user)
+        }
 
-        self._setup_template_variables({'model': model,
-                                        'session': model.Session,
-                                        'user': c.user or c.author},
-                                       data_dict)
+        self._setup_template_variables({
+            'model': model,
+            'session': model.Session,
+            'user': c.user or c.author
+        }, data_dict)
 
         c.is_myself = True
         c.show_email_notifications = h.asbool(
@@ -332,9 +345,11 @@ def _save_edit(self, id, context):
             context['message'] = data_dict.get('log_message', '')
             data_dict['id'] = id
 
-            if data_dict['password1'] and data_dict['password2']:
-                identity = {'login': c.user,
-                            'password': data_dict['old_password']}
+            if not c.userobj.sysadmin:
+                identity = {
+                    'login': c.user,
+                    'password': data_dict['old_password']
+                }
                 auth = authenticator.UsernamePasswordAuthenticator()
 
                 if auth.authenticate(request.environ, identity) != c.user:
diff --git a/ckan/templates/user/edit_user_form.html b/ckan/templates/user/edit_user_form.html
index dfdf4e8c51e..bc997fceeef 100644
--- a/ckan/templates/user/edit_user_form.html
+++ b/ckan/templates/user/edit_user_form.html
@@ -24,7 +24,9 @@
 
   <fieldset>
     <legend>{{ _('Change password') }}</legend>
+    {% if not is_sysadmin %}
     {{ form.input('old_password', type='password', label=_('Old Password'), id='field-password', value=data.oldpassword, error=errors.oldpassword, classes=['control-medium'], attrs={'autocomplete': 'off'} ) }}
+    {% endif %}
 
     {{ form.input('password1', type='password', label=_('Password'), id='field-password', value=data.password1, error=errors.password1, classes=['control-medium'], attrs={'autocomplete': 'off'} ) }}