Disable user password change for non-admin user. #1926

web/migrations/versions/c62bcc14c3d6_.py

@@ -0,0 +1,37 @@
+
+"""empty message
+
+Revision ID: c62bcc14c3d6
+Revises: 1f0eddc8fc79
+Create Date: 2025-06-02 21:45:20.653669
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = 'c62bcc14c3d6'
+down_revision = '1f0eddc8fc79'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+    # Add 'change_password' permission to all roles except 'Administrator'.
+    meta = sa.MetaData()
+    meta.reflect(op.get_bind(), only=('role',))
+    role_table = sa.Table('role', meta)
+
+    perm = role_table.c.permissions
+    op.execute(role_table.update().where(
+        (role_table.c.name != 'Administrator')
+    ).values(
+        permissions=sa.case(
+            (perm == None, 'change_password'),
+            (perm == '', 'change_password'),
+            else_=perm + ',change_password'
+        ))
+    )
+
+def downgrade():
+    # pgAdmin only upgrades, downgrade not implemented.
+    pass

web/pgadmin/model/__init__.py

@@ -33,7 +33,7 @@
 #
 ##########################################################################
 
-SCHEMA_VERSION = 44
+SCHEMA_VERSION = 45
 
 ##########################################################################
 #

web/pgadmin/tools/user_management/PgAdminPermissions.py

@@ -26,6 +26,7 @@ class AllPermissionTypes:
     tools_grant_wizard = 'tools_grant_wizard'
     storage_add_folder = 'storage_add_folder'
     storage_remove_folder = 'storage_remove_folder'
+    change_password = 'change_password'
 
     @staticmethod
     def list():
@@ -34,9 +35,10 @@ def list():
 
 
 class AllPermissionCategories:
-    object_explorer = 'Object Explorer'
-    tools = 'Tools'
-    storage_manager = 'Storage Manager'
+    object_explorer = gettext('Object Explorer')
+    tools = gettext('Tools')
+    storage_manager = gettext('Storage Manager')
+    miscellaneous = gettext('Miscellaneous')
 
 
 class PgAdminPermissions:
@@ -118,6 +120,11 @@ def __init__(self):
             AllPermissionTypes.storage_remove_folder,
             gettext("Delete file/folder")
         )
+        self.add_permission(
+            AllPermissionCategories.miscellaneous,
+            AllPermissionTypes.change_password,
+            gettext("Change password")
+        )
 
     def add_permission(self, category: str, permission: str, label: str):
         self._all_permissions.append({

web/pgadmin/tools/user_management/static/js/index.js

@@ -13,6 +13,7 @@ import gettext from 'sources/gettext';
 import { showChangeUserPassword, showUrlDialog } from '../../../../static/js/Dialogs/index';
 import { BROWSER_PANELS } from '../../../../browser/static/js/constants';
 import Component from './Component';
+import withCheckPermission from '../../../../browser/static/js/withCheckPermission';
 
 class UserManagement {
   static instance;
@@ -30,9 +31,11 @@ class UserManagement {
     this.initialized = true;
   }
 
-  // This is a callback function to show change user dialog.
+  // This is a callback function to show change user dialog based on permission.
   change_password(url) {
-    showChangeUserPassword(url);
+    withCheckPermission({ permission: 'change_password' }, () => {
+      showChangeUserPassword(url);
+    })();
   }
 
   // This is a callback function to show 2FA dialog.