From 20e464776c847ff03c49cbd2fd8308535f18b92e Mon Sep 17 00:00:00 2001
From: Roman <mail@romanh.de>
Date: Mon, 30 Dec 2024 12:20:02 +0100
Subject: [PATCH] more bugfixes

---
 Core/API/UserAPI.class.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/Core/API/UserAPI.class.php b/Core/API/UserAPI.class.php
index 671b8ab..b87b959 100644
--- a/Core/API/UserAPI.class.php
+++ b/Core/API/UserAPI.class.php
@@ -879,12 +879,12 @@ namespace Core\API\User {
             return $this->createError("Cannot remove Administrator group from own user.");
           } else if (in_array(Group::ADMIN, $groupIds) && !$currentUser->hasGroup(Group::ADMIN)) {
             return $this->createError("You cannot add the administrator group to other users.");
-          }
-
-          $availableGroups = Group::findAll($sql, new CondIn(new Column("id"), $groupIds));
-          foreach ($groupIds as $groupId) {
-            if (!isset($availableGroups[$groupId])) {
-              return $this->createError("Group with id=$groupId does not exist.");
+          } else if (!empty($groups)) {
+            $availableGroups = Group::findAll($sql, new CondIn(new Column("id"), $groupIds));
+            foreach ($groupIds as $groupId) {
+              if (!isset($availableGroups[$groupId])) {
+                return $this->createError("Group with id=$groupId does not exist.");
+              }
             }
           }
 
@@ -918,8 +918,12 @@ namespace Core\API\User {
         }
 
         if (!is_null($password)) {
-          $user->password = $this->hashPassword($password);
-          $columnsToUpdate[] = "password";
+          if ($user->isLocalAccount()) {
+            $user->password = $this->hashPassword($password);
+            $columnsToUpdate[] = "password";
+          } else {
+            return $this->createError("Cannot change password of an externally managed user account.");
+          }
         }
 
         if (!is_null($confirmed)) {