Fix missing password length check when change password (#3039) (#3071)

* fix missing password length check when change password

* add tests for change password

diff --git a/modules/test/context_tests.go b/modules/test/context_tests.go
index 6bb7ffe9876d078593214d06f76306cb0cb01f2d..daf4d837eff16b3a77efa4098e9f24c92c05eb26 100644 (file)
--- a/modules/test/context_tests.go
+++ b/modules/test/context_tests.go
@@ -11,6 +11,7 @@ import (
 
        "code.gitea.io/gitea/modules/context"
 
+       "github.com/go-macaron/session"
        "github.com/stretchr/testify/assert"
        macaron "gopkg.in/macaron.v1"
 )
@@ -33,6 +34,9 @@ func MockContext(t *testing.T) *context.Context {
        macaronContext.Render = &mockRender{ResponseWriter: macaronContext.Resp}
        return &context.Context{
                Context: macaronContext,
+               Flash: &session.Flash{
+                       Values: make(url.Values),
+               },
        }
 }
 

diff --git a/routers/user/setting.go b/routers/user/setting.go
index a00f3f287a7dd7154489a587ad536cf7ba938bd8..c0be4edd6aff132b34a1c8362f669b2eb5d74ae3 100644 (file)
--- a/routers/user/setting.go
+++ b/routers/user/setting.go
@@ -223,7 +223,9 @@ func SettingsSecurityPost(ctx *context.Context, form auth.ChangePasswordForm) {
                return
        }
 
-       if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) {
+       if len(form.Password) < setting.MinPasswordLength {
+               ctx.Flash.Error(ctx.Tr("auth.password_too_short", setting.MinPasswordLength))
+       } else if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) {
                ctx.Flash.Error(ctx.Tr("settings.password_incorrect"))
        } else if form.Password != form.Retype {
                ctx.Flash.Error(ctx.Tr("form.password_not_match"))

diff --git a/routers/user/setting_test.go b/routers/user/setting_test.go
new file mode 100644 (file)
index 0000000..72b1b83
--- /dev/null
+++ b/routers/user/setting_test.go
@@ -0,0 +1,68 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package user
+
+import (
+       "net/http"
+       "testing"
+
+       "code.gitea.io/gitea/models"
+       "code.gitea.io/gitea/modules/auth"
+       "code.gitea.io/gitea/modules/setting"
+       "code.gitea.io/gitea/modules/test"
+
+       "github.com/stretchr/testify/assert"
+)
+
+func TestChangePassword(t *testing.T) {
+       oldPassword := "password"
+       setting.MinPasswordLength = 6
+
+       for _, req := range []struct {
+               OldPassword string
+               NewPassword string
+               Retype      string
+               Message     string
+       }{
+               {
+                       OldPassword: oldPassword,
+                       NewPassword: "123456",
+                       Retype:      "123456",
+                       Message:     "",
+               },
+               {
+                       OldPassword: oldPassword,
+                       NewPassword: "12345",
+                       Retype:      "12345",
+                       Message:     "auth.password_too_short",
+               },
+               {
+                       OldPassword: "12334",
+                       NewPassword: "123456",
+                       Retype:      "123456",
+                       Message:     "settings.password_incorrect",
+               },
+               {
+                       OldPassword: oldPassword,
+                       NewPassword: "123456",
+                       Retype:      "12345",
+                       Message:     "form.password_not_match",
+               },
+       } {
+               models.PrepareTestEnv(t)
+               ctx := test.MockContext(t, "user/settings/security")
+               test.LoadUser(t, ctx, 2)
+               test.LoadRepo(t, ctx, 1)
+
+               SettingsSecurityPost(ctx, auth.ChangePasswordForm{
+                       OldPassword: req.OldPassword,
+                       Password:    req.NewPassword,
+                       Retype:      req.Retype,
+               })
+
+               assert.EqualValues(t, req.Message, ctx.Flash.ErrorMsg)
+               assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
+       }
+}