This isn't necessary, you can check the RBAC roles of the user from httpmw.UserParam directly.

From what I tested the UserParam returns the user from the URL and not the user authenticated - did I missed something ?

What I try to achieve here is to know if the user doing the request is an admin or not.

Ah, good point. I think there are still some subtleties here:

• httpmw.UserParam will still use the authenticated request user (requestor) from the request context to fetch the required user. If the requestor does not have the permission to read the user, this will fail.
• This may not take into account custom RBAC roles or an organization admin role

I think the reason for this check is to allow user administrators to reset a user's password without having to specify their existing password.

A better check might be something along the lines of apiKey.UserID != user.ID && api.Authorize(r, policy.ActionUpdate, user.

Hey @johnstcn as we discussed I changed a bit the logic to verify the user associated to the APIKey to the user we try to update - also validated the behavior for Auditor (it works as expected.)

I changed this test to reflect the logic change here.

IMO even an admin should not be able to change its own password without giving the old password - also the UI currently forces users (admin too) to have the old password.