users: allow site owner to reset passwords of other users.

test/functional/passwords_controller_test.rb

@@ -31,6 +31,24 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
         assert_equal(@user, @user.authenticate_password("abcde"))
       end
 
+      should "allow the site owner to change the password of other users" do
+        @owner = create(:owner_user)
+        put_auth user_password_path(@user), @owner, params: { user: { password: "abcde", password_confirmation: "abcde" } }
+
+        assert_redirected_to @user
+        assert_equal(false, @user.reload.authenticate_password("12345"))
+        assert_equal(@user, @user.authenticate_password("abcde"))
+      end
+
+      should "not allow non-owners to change the password of other users" do
+        @admin = create(:admin_user)
+        put_auth user_password_path(@user), @admin, params: { user: { old_password: "12345", password: "abcde", password_confirmation: "abcde" } }
+
+        assert_response 403
+        assert_equal(@user, @user.reload.authenticate_password("12345"))
+        assert_equal(false, @user.authenticate_password("abcde"))
+      end
+
       should "not update the password when given an invalid old password" do
         put_auth user_password_path(@user), @user, params: { user: { old_password: "3qoirjqe", password: "abcde", password_confirmation: "abcde" } }