allow moderator to reset user password

burpui/api/__init__.py

@@ -176,6 +176,21 @@ class Api(ApiPlus):
             return decorated
         return decorator
 
+    def acl_own_or_admin_or_moderator(self, key='name', message='Access denied', code=403):
+        def decorator(func):
+            @wraps(func)
+            def decorated(resource, *args, **kwargs):
+                if key not in kwargs:  # pragma: no cover
+                    resource.abort(500, "key '{}' not found".format(key))
+                if kwargs[key] != current_user.name and \
+                        not current_user.is_anonymous and \
+                        not current_user.acl.is_admin() and \
+                        not current_user.acl.is_moderator():
+                    resource.abort(code, message)
+                return func(resource, *args, **kwargs)
+            return decorated
+        return decorator
+
     def disabled_on_demo(self):
         def decorator(func):
             @wraps(func)

burpui/api/admin.py

@@ -1531,7 +1531,7 @@ class AuthUsers(Resource):
         return [[code, message]], status
 
     @api.disabled_on_demo()
-    @api.acl_own_or_admin(key='name', message="Not allowed to modify this user")
+    @api.acl_own_or_admin_or_moderator(key='name', message="Not allowed to modify this user")
     @ns.expect(parser_mod)
     @ns.doc(
         responses={
@@ -1547,12 +1547,12 @@ class AuthUsers(Resource):
         """Change user password"""
         args = self.parser_mod.parse_args()
         backend = backend or args['backend']
-        is_admin = True
+        is_moderator = True
 
         if not current_user.is_anonymous:
-            is_admin = current_user.acl.is_admin()
+            is_moderator = current_user.acl.is_admin() or current_user.acl.is_moderator()
 
-        if not is_admin and not args['old_password']:
+        if not is_moderator and not args['old_password']:
             self.abort(400, "Old password required")
 
         try: