IBX-362: Fixed 'user/password' policy check (#3101)

* IBX-362: Fixed 'user/password' policy check

* IBX-362: Brought back content/edit permission check

* IBX-362: Added integration test

* IBX-362: CS

eZ/Publish/API/Repository/Tests/UserServiceTest.php

@@ -1976,6 +1976,35 @@ public function testUpdateUserWithStrongPassword()
         $this->assertInstanceOf(User::class, $user);
     }
 
+    /**
+     * @covers \eZ\Publish\API\Repository\UserService::updateUser
+     */
+    public function testUpdateUserByUserWithLimitations(): void
+    {
+        $repository = $this->getRepository();
+        $userService = $repository->getUserService();
+
+        $user = $this->createTestUserWithPassword('H@xxxiR!_1', $this->createUserContentTypeWithStrongPassword());
+
+        $currentUser = $this->createUserWithPolicies(
+            'user',
+            [
+                ['module' => 'content', 'function' => 'edit'],
+                ['module' => 'user', 'function' => 'password'],
+            ],
+            new SubtreeLimitation(['limitationValues' => ['/1/2']])
+        );
+        $repository->getPermissionResolver()->setCurrentUserReference($currentUser);
+
+        // Create a new update struct instance
+        $userUpdate = $userService->newUserUpdateStruct();
+        $userUpdate->password = 'H@xxxiR!_2';
+
+        $user = $userService->updateUser($user, $userUpdate);
+
+        self::assertInstanceOf(User::class, $user);
+    }
+
     /**
      * Test for the loadUserGroupsOfUser() method.
      *

eZ/Publish/Core/Repository/UserService.php

@@ -848,7 +848,7 @@ public function updateUser(APIUser $user, UserUpdateStruct $userUpdateStruct)
 
         if (!empty($userUpdateStruct->password) &&
             !$canEditContent &&
-            !$this->permissionResolver->canUser('user', 'password', $loadedUser)
+            !$this->permissionResolver->canUser('user', 'password', $loadedUser, [$loadedUser])
         ) {
             throw new UnauthorizedException('user', 'password');
         }