couple updates to streamline user updates endpoints.

src/metabase/api/user.clj

@@ -26,21 +26,24 @@
 
 
 (defendpoint PUT "/:id" [id :as {:keys [body]}]
-  (check-403 (= id *current-user-id*))                                     ; you can only update yourself (or can admins update other users?)
+  ; user must be getting their own details OR they must be a superuser to proceed
+  (check-403 (or (= id *current-user-id*) (:is_superuser @*current-user*)))
+  ;; TODO - validate that email address isn't taken
   (check-500 (->> (select-non-nil-keys body :email :first_name :last_name)
                   (mapply upd User id)))                                   ; `upd` returns `false` if no updates occured. So in that case return a 500
   (sel :one User :id id))                                                  ; return the updated user
 
 
-;; TODO: do we want a permissions check here?
-(defendpoint PUT "/:id/password" [id :as {:keys [body]}]
-  (let [{:keys [password old_password]} body]
-    (check (and password old_password) [400 "You must specify both old_password and password"])
-    (check-404 (exists? User :id id))
+(defendpoint PUT "/:id/password" [id :as {{:keys [password old_password] :as body} :body}]
+  ; caller must supply current and new password attributes
+  (check (and password old_password) [400 "You must specify both old_password and password"])
+  ; user must be getting their own details OR they must be a superuser to proceed
+  (check-403 (or (= id *current-user-id*) (:is_superuser @*current-user*)))
+  (check-404 (exists? User :id id))
     ;; TODO - match old password against current one
     ;; TODO - password encryption
     (upd User id :password password)
-    (sel :one User :id id)))
+    (sel :one User :id id))
 
 
 (define-routes)