Maintain compatibility with old version

eZ/Publish/Core/Repository/UserService.php

@@ -645,7 +645,9 @@ public function updateUser(APIUser $user, UserUpdateStruct $userUpdateStruct): A
 
         $contentService = $this->repository->getContentService();
 
-        if (!$this->permissionResolver->canUser('content', 'edit', $loadedUser)) {
+        $canEditContent = $this->permissionResolver->canUser('content', 'edit', $loadedUser);
+
+        if (!$canEditContent && $this->isUserProfileUpdateRequested($userUpdateStruct)) {
             throw new UnauthorizedException('content', 'edit');
         }
 
@@ -681,6 +683,13 @@ public function updateUser(APIUser $user, UserUpdateStruct $userUpdateStruct): A
             );
         }
 
+        if (!empty($userUpdateStruct->password) &&
+            !$canEditContent &&
+            !$this->permissionResolver->canUser('user', 'password', $loadedUser)
+        ) {
+            throw new UnauthorizedException('user', 'password');
+        }
+
         $this->executeUserUpdate($loadedUser, $userUpdateStruct);
 
         return $this->loadUser($loadedUser->id);
@@ -1351,6 +1360,23 @@ private function comparePasswordHashes(
         return $this->passwordHashService->isValidPassword($plainPassword, $passwordHash, $hashAlgorithm);
     }
 
+    /**
+     * Return true if any of the UserUpdateStruct properties refers to User Profile (Content) update.
+     *
+     * @param UserUpdateStruct $userUpdateStruct
+     *
+     * @return bool
+     */
+    private function isUserProfileUpdateRequested(UserUpdateStruct $userUpdateStruct)
+    {
+        return
+            !empty($userUpdateStruct->contentUpdateStruct) ||
+            !empty($userUpdateStruct->contentMetadataUpdateStruct) ||
+            !empty($userUpdateStruct->email) ||
+            !empty($userUpdateStruct->enabled) ||
+            !empty($userUpdateStruct->maxLogin);
+    }
+
     private function getDateTime(?int $timestamp): ?DateTimeInterface
     {
         if ($timestamp !== null) {