Admin password change of other users still requires the old password parameter (doesn't matter if it's correct or not)? about apiko HOT 4 CLOSED

In the core.js it is written that this parameter is required. Apiko checks all requirements before doing anything. That's why it sends "code": 1.
In other hand we have passwordchange.js which checks if the current session user is admin, or access with a secret key. If so - no need for old password. And gibberish data is just skipped and not used at all.

So. If we have admin session (after login), or access using secret key - we don't use "old"" 'oldPasswordExample', but still "old" parameter is required because it's written so in core.js

This little bit confusing behavior could be change in future to allow admin user skip checking required parameters, or to separate api for normal and admin users.

from apiko.

So, you need current password for a normal user, but for admin there is no extra security to check if the user changing the password is the owner of the admin account.

The purpose of the current password is if someone found your account open, he couldn't lock you out of your account by changing the password because the system asks for the current password. In our case, if someone found the admin account open, that someone can change the password of the admin & everybody else without any hassle, because the system doesn't require the current password of the admin. could you explain that?

from apiko.

Do you mean the user can change admin password?
Because now it should be like only admin can change any user password skipping comparing old password.
The current session holds information of the current user and his role. The session is filled with user data while logging in.
Skipping password checks is only possible in 2 situations:

1. If the session holds information of the user role and one of roles is 'admin'
2. You access with apiko secret key which should be hold in server only private space in 'apiko.json' file.

I had one weird situation for common, not admin user. The session holded information from previous logged in user. But I couldn't repeat this strange behaviour and thought it's just because of some problem in my pc only. (I checked out branches and might be not all data was saved.)

In conclusion

If session holds open - apiko don't check password at all. Might be it's a good idea to check admins password. But If you have admin token your system already is in dangerous. You cannot ask for password all the way you use api. For this we have token which is valid for session.
If you are admin and you have session token - you already were compared your password. Making another compare? Could be done but what is a reason? UI could ask twice for example.
The situation when admin didn't log out is bad. Actually I didn't check how the user can log out.

from apiko.

The key 'old' will be changed to 'current' and we can check admin's password for security reason

from apiko.