User with "Users Administrator" rights cannot change a password (#4423)

modules/admin/admin-ui/src/main/resources/web/admin/apps/user-manager/js/app/wizard/ChangeUserPasswordDialog.ts

@@ -6,6 +6,7 @@ import PasswordGenerator = api.ui.text.PasswordGenerator;
 import DialogButton = api.ui.dialog.DialogButton;
 import FormItemBuilder = api.ui.form.FormItemBuilder;
 import Validators = api.ui.form.Validators;
+import DefaultErrorHandler = api.DefaultErrorHandler;
 
 export class ChangeUserPasswordDialog extends api.ui.dialog.ModalDialog {
 
@@ -60,7 +61,7 @@ export class ChangeUserPasswordDialog extends api.ui.dialog.ModalDialog {
                 this.password.getValue()).sendAndParse().then((result) => {
                 api.notify.showFeedback('Password was changed!');
                 this.close();
-            });
+            }).catch(DefaultErrorHandler.handle);
         }));
         this.changePasswordButton.setEnabled(false);
     }

modules/core/core-api/src/main/java/com/enonic/xp/security/acl/AccessControlList.java

@@ -1,5 +1,6 @@
 package com.enonic.xp.security.acl;
 
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
@@ -26,6 +27,26 @@ private AccessControlList( final Builder builder )
         this.entries = ImmutableMap.copyOf( builder.entries );
     }
 
+    public static AccessControlList empty()
+    {
+        return EMPTY;
+    }
+
+    public static AccessControlList of( final AccessControlEntry... entries )
+    {
+        return AccessControlList.create().addAll( entries ).build();
+    }
+
+    public static Builder create()
+    {
+        return new Builder();
+    }
+
+    public static Builder create( final AccessControlList acl )
+    {
+        return new Builder( acl );
+    }
+
     public boolean isAllowedFor( final PrincipalKey principal, final Permission... permissions )
     {
         return doIsAllowedFor( principal, permissions );
@@ -50,7 +71,6 @@ private boolean doIsAllowedFor( final PrincipalKey principal, final Permission[]
         return entry != null && entry.isAllowed( permissions );
     }
 
-
     public PrincipalKeys getAllPrincipals()
     {
         final Set<PrincipalKey> principals = this.entries.values().stream().
@@ -73,6 +93,11 @@ public AccessControlEntry getEntry( final PrincipalKey principalKey )
         return this.entries.get( principalKey );
     }
 
+    public Collection<AccessControlEntry> getEntries()
+    {
+        return this.entries.values();
+    }
+
     public boolean contains( final PrincipalKey principalKey )
     {
         return this.entries.containsKey( principalKey );
@@ -117,26 +142,6 @@ public int hashCode()
         return this.entries.hashCode();
     }
 
-    public static AccessControlList empty()
-    {
-        return EMPTY;
-    }
-
-    public static AccessControlList of( final AccessControlEntry... entries )
-    {
-        return AccessControlList.create().addAll( entries ).build();
-    }
-
-    public static Builder create()
-    {
-        return new Builder();
-    }
-
-    public static Builder create( final AccessControlList acl )
-    {
-        return new Builder( acl );
-    }
-
     public static class Builder
     {
         private final Map<PrincipalKey, AccessControlEntry> entries;

modules/core/core-security/src/main/java/com/enonic/xp/core/impl/security/SecurityInitializer.java

@@ -17,8 +17,11 @@
 import com.enonic.xp.security.RoleKeys;
 import com.enonic.xp.security.SecurityConstants;
 import com.enonic.xp.security.SecurityService;
+import com.enonic.xp.security.SystemConstants;
 import com.enonic.xp.security.User;
 import com.enonic.xp.security.UserStoreKey;
+import com.enonic.xp.security.acl.AccessControlEntry;
+import com.enonic.xp.security.acl.AccessControlList;
 import com.enonic.xp.security.acl.UserStoreAccessControlEntry;
 import com.enonic.xp.security.acl.UserStoreAccessControlList;
 import com.enonic.xp.security.auth.AuthenticationInfo;
@@ -28,12 +31,12 @@
 
 final class SecurityInitializer
 {
+    public static final PrincipalKey SUPER_USER = PrincipalKey.ofUser( UserStoreKey.system(), "su" );
+
     static final String SYSTEM_USER_STORE_DISPLAY_NAME = "System User Store";
 
     private static final Logger LOG = LoggerFactory.getLogger( SecurityInitializer.class );
 
-    public static final PrincipalKey SUPER_USER = PrincipalKey.ofUser( UserStoreKey.system(), "su" );
-
     private static final ApplicationKey SYSTEM_ID_PROVIDER_KEY = ApplicationKey.from( "com.enonic.xp.app.standardidprovider" );
 
     private final SecurityService securityService;
@@ -87,10 +90,19 @@ private void initializeUserStoreParentFolder()
         final NodePath userStoreParentNodePath = UserStoreNodeTranslator.getUserStoresParentPath();
         LOG.info( "Initializing [" + userStoreParentNodePath.toString() + "] folder" );
 
+        final AccessControlEntry userManagerFullAccess = AccessControlEntry.create().
+            allowAll().
+            principal( RoleKeys.USER_MANAGER_ADMIN ).
+            build();
+
         nodeService.create( CreateNodeParams.create().
             parent( userStoreParentNodePath.getParentPath() ).
             name( userStoreParentNodePath.getLastElement().toString() ).
-            inheritPermissions( true ).
+            permissions( AccessControlList.create().
+                addAll( SystemConstants.SYSTEM_REPO_DEFAULT_ACL.getEntries() ).
+                add( userManagerFullAccess ).
+                build() ).
+            inheritPermissions( false ).
             build() );
     }
 
@@ -117,8 +129,9 @@ private void initializeSystemUserStore()
 
         final UserStoreAccessControlList permissions =
             UserStoreAccessControlList.of( UserStoreAccessControlEntry.create().principal( RoleKeys.ADMIN ).access( ADMINISTRATOR ).build(),
-                                           UserStoreAccessControlEntry.create().principal( RoleKeys.AUTHENTICATED ).access(
-                                               READ ).build() );
+                                           UserStoreAccessControlEntry.create().principal( RoleKeys.AUTHENTICATED ).access( READ ).build(),
+                                           UserStoreAccessControlEntry.create().principal( RoleKeys.USER_MANAGER_ADMIN ).access(
+                                               ADMINISTRATOR ).build() );
 
         final CreateUserStoreParams createParams = CreateUserStoreParams.create().
             key( UserStoreKey.system() ).