prevent changing admin passwords

server/server_admin.go

@@ -50,6 +50,9 @@ func (s *Server) handleUsersAdd(w http.ResponseWriter, r *http.Request, v *visit
 		return err
 	} else if u != nil {
 		if req.Force == true {
+			if u.IsAdmin() {
+				return errHTTPForbidden
+			}
 			if err := s.userManager.ChangePassword(req.Username, req.Password); err != nil {
 				return err
 			}

server/server_admin_test.go

@@ -59,7 +59,7 @@ func TestUser_AddRemove(t *testing.T) {
 	require.Equal(t, user.Everyone, users[2].Name)
 }
 
-func TestUser_ChangePassword(t *testing.T) {
+func TestUser_ChangeUserPassword(t *testing.T) {
 	s := newTestServer(t, newTestConfigWithAuthFile(t))
 	defer s.closeDatabases()
 
@@ -97,6 +97,21 @@ func TestUser_ChangePassword(t *testing.T) {
 	require.Equal(t, 200, rr.Code)
 }
 
+func TestUser_DontChangeAdminPassword(t *testing.T) {
+	s := newTestServer(t, newTestConfigWithAuthFile(t))
+	defer s.closeDatabases()
+
+	// Create admin
+	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
+	require.Nil(t, s.userManager.AddUser("admin", "admin", user.RoleAdmin))
+
+	// Try to change password via API
+	rr := request(t, s, "PUT", "/v1/users", `{"username": "admin", "password": "admin-new", "force":true}`, map[string]string{
+		"Authorization": util.BasicAuth("phil", "phil"),
+	})
+	require.Equal(t, 403, rr.Code)
+}
+
 func TestUser_AddRemove_Failures(t *testing.T) {
 	s := newTestServer(t, newTestConfigWithAuthFile(t))
 	defer s.closeDatabases()