fix: require current password for user management#738
Conversation
|
There was a problem hiding this comment.
Code Review
This pull request introduces a security enhancement requiring the current password when creating a new user or updating an admin's password. It adds backend validation in app_auth.py via a new helper function _current_password_error, updates the API schemas, and integrates the corresponding input fields and logic into the frontend (users.js and users.html). Comprehensive unit tests have also been added to verify these validation flows. There are no review comments, and I have no additional feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
NeptuneHub
left a comment
There was a problem hiding this comment.
Hi and thanks for the PR. Please the current password field, when is requested for activity on OTHER users (so not yourself) need to be clear that is your password to confirm the activity so:
- Instead of current password label put something like "Insert your admin password to confirm the operation"
- put it in the bottom, separated maybe with some space from the information of the user that you are creating/modifing
|
Thanks for taking the time to put this together and for the suggestion. I think the underlying idea is worthwhile, but after reviewing the changes, I don't think this implementation is the right fit. At this point, I think it will be more efficient for me to implement the change directly rather than iterate further on this PR, so I'm going to close it. Thanks again for the contribution and the idea. |



AS-IS
Admins could create additional users without confirming their own password. Admin resets for admin accounts also skipped current-password confirmation, while only non-admin self-service password changes required it.
TO-BE
Creating a user requires the current authenticated admin password. Password changes require current-password confirmation for self-service changes and when the target account is an admin, while admin resets for regular user accounts keep the existing flow.
Test
uv run --python 3.12 --with pytest --with flask --with PyJWT --with argon2-cffi --with psycopg2-binary --with redis --with rq --with pyyaml --with requests --with numpy --with rapidfuzz pytest test/unit/test_app_auth.pyuv run --with ruff ruff check app_auth.py test/unit/test_app_auth.pynode --check static/users.jsgit diff --checkOther useful information
Split from closed #735 and limited to user-management password confirmation.
Checklist
Type of change:
Tested on architecture:
Tested on media server:
Updated:
Other:
Related ISSUE: N/A