reworked password change

src/api/user.js

@@ -73,14 +73,15 @@ set.params = {
   permission: { type: 'string', optional: true }
 }
 
-export async function changePassword ({id, oldPassword, newPassword}) {
+export async function changePassword ({oldPassword, newPassword}) {
-  await this.changePassword(id, oldPassword, newPassword)
+  await this.changePassword(oldPassword, newPassword)
 }
 
 changePassword.description = 'change password after checking old password (user function)'
 
+changePassword.permission = ''
+
 changePassword.params = {
-  id: {type: 'string'},
   oldPassword: {type: 'string'},
   newPassword: {type: 'string'}
 }

src/index.js

@@ -335,7 +335,7 @@ const apiHelpers = {
     // Handles both properties and wrapped models.
     const properties = user.properties || user
 
-    return pick(properties, 'id', 'email', 'groups', 'permission')
+    return pick(properties, 'id', 'email', 'groups', 'permission', 'provider')
   },
 
   getServerPublicProperties (server) {

src/xo.js

@@ -334,15 +334,20 @@ export default class Xo extends EventEmitter {
     })
   }
 
-  async changePassword (id, oldPassword, newPassword) {
+  async changePassword (oldPassword, newPassword) {
+    const id = this.session.get('user_id')
     const user = await this._getUser(id)
 
+    if (user.provider) {
+      throw new Error('Password change is only for locally created users')
+    }
+
     const auth = await user.checkPassword(oldPassword)
     if (!auth) {
       throw new InvalidCredential()
     }
     await user.setPassword(newPassword)
-    return await this._users.save(user.properties)
+    await this._users.save(user.properties)
   }
 
   // -----------------------------------------------------------------