"Simple" users can reset the password for Admins

Steps to reproduce:

• Create a simple user
• Go on the reset password script and copy paste the code (hide the line numbers): http://<server>/xwiki/bin/view/XWiki/ResetPassword?viewer=code
• Go on the Blog application and edit a post with document author an Admin user (e.g. http:/<server>/xwiki/bin/view/Blog/BlogIntroduction)
• insert the velocity macro in the post content, next paste the code from the reset script
• modify the code to print the $passwordResetURL variable:

        #set ($passwordResetURL = $xwiki.getDocument('XWiki.ResetPasswordComplete').getExternalURL('view', "u=${userName}&v=${verifStr}")) $passwordResetURL
  

• save the post
• on the input with label "USERNAME" type "XWiki.Admin" and click "Reset"
• Next, click on the link which completes the password reset for Admin

Result: the form to complete the password reset for Admin will be displayed and the operation will succeed.