User 1 does not need to have any roles to gain all permissions. If this user does not have any role (other than authenticated user) and no policies apply to authenticated user then the policy is not applied when user 1 edit's their password or another user's password.
Set up user 1 with no roles.
Set up a number of password policies ensuring none of them have 'authenticated' user role. Set them all to show the policy table.
Edit the password of any user, including their own.
The result is that the policy table will not show and the policy will not be applied.
Add to the existing logic in PasswordPolicyValidationManager.php to check for user 1. For user 1 look up the admin role in Role settings and check to see if this is in user 1's roles. If not add it.
I supply a patch that does this by creating a new protected method of this class called getUserRoles. This is used to replace $this->currentUser->getRoles() in this classes methods tableShouldBeVisible and validationShouldRun.
I also notice that this logic is using the currently logged in user rather than the user being edited and I am not sure if that is correct.
None
None
None
Needs review
4.0
Code
Thanks for the issue and patch. Moving to needs review.
Assigning to myself as it looks easy to test.