From 67cc81e49f710e6e3386ff25d3a10578681e2cee Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Thu, 5 Dec 2019 09:13:34 +0100
Subject: [PATCH] AccountController: Prohibit password changes for users with
 `no-user/password-change`

---
 application/controllers/AccountController.php | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/application/controllers/AccountController.php b/application/controllers/AccountController.php
index 154270bea..de1faf153 100644
--- a/application/controllers/AccountController.php
+++ b/application/controllers/AccountController.php
@@ -43,17 +43,19 @@ class AccountController extends Controller
         $config = Config::app()->getSection('global');
         $user = $this->Auth()->getUser();
         if ($user->getAdditional('backend_type') === 'db') {
-            try {
-                $userBackend = UserBackend::create($user->getAdditional('backend_name'));
-            } catch (ConfigurationError $e) {
-                $userBackend = null;
-            }
-            if ($userBackend !== null) {
-                $changePasswordForm = new ChangePasswordForm();
-                $changePasswordForm
-                    ->setBackend($userBackend)
-                    ->handleRequest();
-                $this->view->changePasswordForm = $changePasswordForm;
+            if ($user->can('*') || ! $user->can('no-user/password-change')) {
+                try {
+                    $userBackend = UserBackend::create($user->getAdditional('backend_name'));
+                } catch (ConfigurationError $e) {
+                    $userBackend = null;
+                }
+                if ($userBackend !== null) {
+                    $changePasswordForm = new ChangePasswordForm();
+                    $changePasswordForm
+                        ->setBackend($userBackend)
+                        ->handleRequest();
+                    $this->view->changePasswordForm = $changePasswordForm;
+                }
             }
         }