--- a/schema/manage_users.sql	Fri Aug 03 16:04:14 2018 +0200
+++ b/schema/manage_users.sql	Fri Aug 03 17:23:55 2018 +0200
@@ -93,6 +93,14 @@
 BEGIN
     cur_username = OLD.username;
 
+    IF cur_username <> session_user
+        AND NOT (pg_has_role(session_user, 'sys_admin', 'MEMBER')
+            OR pg_has_role(session_user, 'pw_reset', 'MEMBER'))
+    THEN
+        -- Discard row. This is what WITH CHECK in an RLS policy would do.
+        RETURN NULL;
+    END IF;
+
     UPDATE internal.user_profiles p
         SET (username, country, map_extent, email_address)
         = (NEW.username, NEW.country, NEW.map_extent, NEW.email_address)

--- a/schema/manage_users_tests.sql	Fri Aug 03 16:04:14 2018 +0200
+++ b/schema/manage_users_tests.sql	Fri Aug 03 17:23:55 2018 +0200
@@ -123,6 +123,21 @@
     42501, NULL,
     'Waterway user cannot update arbitrary user attributes');
 
+SET SESSION AUTHORIZATION test_admin_at;
+
+SELECT results_eq($$
+    UPDATE users.list_users
+        SET (pw, map_extent, email_address)
+            = ('user_at2!', 'BOX(0 0,1 1)', 'user_at_test')
+        WHERE country = users.current_user_country()
+            AND username <> current_user
+        RETURNING *
+    $$,
+    $$
+    SELECT '' WHERE false -- Empty result set
+    $$,
+    'Waterway admin cannot update attributes of other users in country');
+
 SET SESSION AUTHORIZATION test_sys_admin1;
 
 SELECT lives_ok($$

--- a/schema/run_tests.sh	Fri Aug 03 16:04:14 2018 +0200
+++ b/schema/run_tests.sh	Fri Aug 03 17:23:55 2018 +0200
@@ -16,7 +16,7 @@
     -c 'SET client_min_messages TO WARNING' \
     -c "DROP ROLE IF EXISTS $TEST_ROLES" \
     -f tap_tests_data.sql \
-    -c 'SELECT plan(44)' \
+    -c 'SELECT plan(45)' \
     -f auth_tests.sql \
     -f manage_users_tests.sql \
     -c 'SELECT * FROM finish()'