From 918373cb69816f74ebc6569e7feba64c69633b48 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Tue, 16 Dec 2025 06:19:48 -0600
Subject: [PATCH] don't require old password for users with admin role when
 changing passwords

---
 frigate/api/auth.py | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 95ee4f9dc..d3b50067c 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -893,13 +893,9 @@ async def update_password(
     except DoesNotExist:
         return JSONResponse(content={"message": "User not found"}, status_code=404)
 
-    # Require old_password when:
-    # 1. Non-admin user is changing another user's password (admin only action)
-    # 2. Any user is changing their own password
-    is_changing_own_password = current_username == username
-    is_non_admin = current_role != "admin"
-
-    if is_changing_own_password or is_non_admin:
+    # Require old_password when non-admin user is changing any password
+    # Admin users changing passwords do NOT need to provide the current password
+    if current_role != "admin":
         if not body.old_password:
             return JSONResponse(
                 content={"message": "Current password is required"},