1 files changed, 38 insertions, 0 deletions

diff --git a/api4/user.go b/api4/user.go
index cf9bb4ead..56cfc5d90 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -23,6 +23,7 @@ func InitUser() {
 	BaseRoutes.User.Handle("", ApiSessionRequired(updateUser)).Methods("PUT")
 	BaseRoutes.User.Handle("", ApiSessionRequired(deleteUser)).Methods("DELETE")
 	BaseRoutes.User.Handle("/roles", ApiSessionRequired(updateUserRoles)).Methods("PUT")
+	BaseRoutes.User.Handle("/password", ApiSessionRequired(updatePassword)).Methods("PUT")
 
 	BaseRoutes.Users.Handle("/login", ApiHandler(login)).Methods("POST")
 	BaseRoutes.Users.Handle("/logout", ApiHandler(logout)).Methods("POST")
@@ -281,6 +282,43 @@ func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 	ReturnStatusOK(w)
 }
 
+func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireUserId()
+	if c.Err != nil {
+		return
+	}
+
+	props := model.MapFromJson(r.Body)
+
+	newPassword := props["new_password"]
+
+	c.LogAudit("attempted")
+
+	var err *model.AppError
+	if c.Params.UserId == c.Session.UserId {
+		currentPassword := props["current_password"]
+		if len(currentPassword) <= 0 {
+			c.SetInvalidParam("current_password")
+			return
+		}
+
+		err = app.UpdatePasswordAsUser(c.Params.UserId, currentPassword, newPassword, c.GetSiteURL())
+	} else if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		err = app.UpdatePasswordByUserIdSendEmail(c.Params.UserId, newPassword, c.T("api.user.reset_password.method"), c.GetSiteURL())
+	} else {
+		err = model.NewAppError("updatePassword", "api.user.update_password.context.app_error", nil, "", http.StatusForbidden)
+	}
+
+	if err != nil {
+		c.LogAudit("failed")
+		c.Err = err
+		return
+	} else {
+		c.LogAudit("completed")
+		ReturnStatusOK(w)
+	}
+}
+
 func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)