From bde1949e8feac2bef44787a7bab648e3d98e8684 Mon Sep 17 00:00:00 2001
From: Mike Cao <mike@mikecao.com>
Date: Tue, 15 Sep 2020 08:50:05 -0700
Subject: [PATCH] Fix password change issue.

---
 package.json                  | 2 +-
 pages/api/account/password.js | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index e6dc21ec..18207e6c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "umami",
-  "version": "0.33.0",
+  "version": "0.34.0",
   "description": "A simple, fast, website analytics alternative to Google Analytics. ",
   "author": "Mike Cao <mike@mikecao.com>",
   "license": "MIT",
diff --git a/pages/api/account/password.js b/pages/api/account/password.js
index c9c955fa..1b364d7b 100644
--- a/pages/api/account/password.js
+++ b/pages/api/account/password.js
@@ -6,10 +6,10 @@ import { checkPassword, hashPassword } from 'lib/crypto';
 export default async (req, res) => {
   await useAuth(req, res);
 
-  const { user_id, is_admin } = req.auth;
-  const { current_password, new_password } = req.body;
+  const { user_id: auth_user_id, is_admin } = req.auth;
+  const { user_id, current_password, new_password } = req.body;
 
-  if (is_admin) {
+  if (!is_admin || user_id !== auth_user_id) {
     return unauthorized(res);
   }