Administrator should be able to set user's password

It works. Permission USERS_MANAGE is required for using this endpoint: /users/passwordReset. Without assigned right, user cannot change the password.

@Josh Zamor @Chongsun Ahn There is also a passwordReset endpoint in referencedata that checks USERS_MANAGE right and calls the one from auth:
1. /users/passwordReset (referencedata)
2. USERS_MANAGE right check
3. Service level call to /users/auth/passwordReset
4. ADMIN authority check
5. Password is actually changed
Should we refactor it somehow? E.g. we could make the one from auth accept service level tokens only

The problem here is that auth doesn't know anything about user profiles and their rights so we have to check them in referencedata

QA: It should already be possible for users with admin authority: "/users/auth/passwordReset"

This endpoint: http://test.openlmis.org/auth/docs/#!/default/post_api_users_auth_changePassword

Requires a password reset token first.

I think we actually need a new endpoint, and the one above should be updated to make it clear that it requires a password reset token.

Admin permission to change anyone's password would be the USERS_MANAGE right.
Need to take in user's UUID
Need to check that current user has USERS_MANAGE right, UNLESS the password being changed is the one for the current user, than no right is needed (just need to be authenticated)

Hi folks. I'd like it to be in 3.0 but I'd need to understand the level of effort. We have heard both for our development and in Tanzania that it can be difficult leaving password changes only to end users.