refactor: change pwd change logic

add one more test

src/user/profile.js

@@ -278,24 +278,18 @@ module.exports = function (User) {
 		if (meta.config['password:disableEdit'] && !isAdmin) {
 			throw new Error('[[error:no-privileges]]');
 		}
-		let isAdminOrPasswordMatch = false;
+
 		const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
 
 		if (!isAdmin && !isSelf) {
 			throw new Error('[[user:change_password_error_privileges]]');
 		}
 
-		if (
-			(isAdmin && !isSelf) || // Admins ok
-			(!hasPassword && isSelf)	// Initial password set ok
-		) {
-			isAdminOrPasswordMatch = true;
-		} else {
-			isAdminOrPasswordMatch = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
-		}
-
-		if (!isAdminOrPasswordMatch) {
-			throw new Error('[[user:change_password_error_wrong_current]]');
+		if (isSelf && hasPassword) {
+			const correct = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
+			if (!correct) {
+				throw new Error('[[user:change_password_error_wrong_current]]');
+			}
 		}
 
 		const hashedPassword = await User.hashPassword(data.newPassword);

test/user.js

@@ -860,6 +860,19 @@ describe('User', function () {
 			assert(correct);
 		});
 
+		it('should not let admin change their password if current password is incorrect', async function () {
+			const adminUid = await User.create({ username: 'adminforgotpwd', password: 'admin1234' });
+			await groups.join('administrators', adminUid);
+
+			let err;
+			try {
+				await socketUser.changePassword({ uid: adminUid }, { uid: adminUid, newPassword: '654321', currentPassword: 'wrongpwd' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_wrong_current]]');
+		});
+
 		it('should change username', function (done) {
 			socketUser.changeUsernameEmail({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '123456' }, function (err) {
 				assert.ifError(err);