U4-7009 Changing passwords design oversight

src/Umbraco.Core/Security/MembershipProviderBase.cs

@@ -9,6 +9,7 @@ using System.Web.Configuration;
 using System.Web.Hosting;
 using System.Web.Security;
 using Umbraco.Core.Logging;
+using Umbraco.Core.Models;
 
 namespace Umbraco.Core.Security
 {
@@ -520,7 +521,9 @@ namespace Umbraco.Core.Security
 
         public override string ResetPassword(string username, string answer)
         {
-            if (EnablePasswordReset == false)
+            var auth = new HttpContextWrapper(HttpContext.Current).GetUmbracoAuthTicket();
+            var userIsAdmin = ApplicationContext.Current.Services.UserService.GetByUsername(auth.Name).IsAdmin();
+            if (userIsAdmin == false && EnablePasswordReset == false)
             {
                 throw new NotSupportedException("Password reset is not supported");
             }

src/Umbraco.Web.UI/umbraco/controls/PasswordChanger.ascx.cs

@@ -4,6 +4,9 @@ using System.Configuration.Provider;
 using System.Linq;
 using System.Web;
 using System.Web.Security;
+using Umbraco.Core;
+using Umbraco.Core.Models;
+using Umbraco.Core.Security;
 
 namespace Umbraco.Web.UI.Umbraco.Controls
 {
@@ -20,9 +23,11 @@ namespace Umbraco.Web.UI.Umbraco.Controls
             umbPasswordChanger_passwordNewConfirm.Text = null;
             //reset the flag always
             IsChangingPasswordField.Value = "false";
-            this.DataBind();
-        } 
 
-       
+            var auth = new HttpContextWrapper(HttpContext.Current).GetUmbracoAuthTicket();
+            ResetPlaceHolder.Visible = ApplicationContext.Current.Services.UserService.GetByUsername(auth.Name).IsAdmin();
+
+            this.DataBind();
+        }
     }
 }

src/Umbraco.Web.UI/umbraco/controls/passwordChanger.ascx

@@ -67,7 +67,7 @@
 
     <asp:HiddenField runat="server" ID="IsChangingPasswordField" Value="false" />
 
-    <asp:PlaceHolder runat="server" ID="ResetPlaceHolder" Visible="<%#Provider.EnablePasswordReset %>">
+    <asp:PlaceHolder runat="server" ID="ResetPlaceHolder">
         <div class="umb-el-wrap">
             <label class="control-label" for="<%=ResetPasswordCheckBox.ClientID %>"><%=umbraco.ui.GetText("user", "resetPassword")%></label>
             <div class="controls controls-row">

src/Umbraco.Web/MembershipProviderExtensions.cs

@@ -1,9 +1,6 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
+using System.Collections.Generic;
 using System.Web.Security;
+using Umbraco.Core.Models;
 using Umbraco.Core.Security;
 
 namespace Umbraco.Web
@@ -23,7 +20,7 @@ namespace Umbraco.Web
             return new Dictionary<string, object>
                 {
                     {"minPasswordLength", membershipProvider.MinRequiredPasswordLength},
-                    {"enableReset", membershipProvider.EnablePasswordReset},
+                    {"enableReset", UmbracoContext.Current.Security.CurrentUser.IsAdmin()},
                     {"enablePasswordRetrieval", membershipProvider.EnablePasswordRetrieval},
                     {"requiresQuestionAnswer", membershipProvider.RequiresQuestionAndAnswer},
                     {"allowManuallyChangingPassword", baseProvider != null && baseProvider.AllowManuallyChangingPassword}

src/Umbraco.Web/Security/MembershipHelper.cs

@@ -663,7 +663,8 @@ namespace Umbraco.Web.Security
             //Are we resetting the password??
             if (passwordModel.Reset.HasValue && passwordModel.Reset.Value)
             {
-                if (membershipProvider.EnablePasswordReset == false)
+                var userIsAdmin = UmbracoContext.Current.Security.CurrentUser.IsAdmin();
+                if (userIsAdmin == false && membershipProvider.EnablePasswordReset == false)
                 {
                     return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password reset is not enabled", new[] { "resetPassword" }) });
                 }