Password reset should count as a password change for User#must_change_passwd (#25253).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 5 Mar 2017 09:16:16 +0000 (09:16 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 5 Mar 2017 09:16:16 +0000 (09:16 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 5 Mar 2017 09:16:16 +0000 (09:16 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 5 Mar 2017 09:16:16 +0000 (09:16 +0000)
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb

index 54a29fbf4932c0a46c5fdc0a4d32c34e9ad3b24f..f986032703da765f8ca6ca0fde0599becac140f6 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -80,13 +80,18 @@ class AccountController < ApplicationController
          return
        end
        if request.post?
-        @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
-        if @user.save
-          @token.destroy
-          Mailer.password_updated(@user)
-          flash[:notice] = l(:notice_account_password_updated)
-          redirect_to signin_path
-          return
+        if @user.must_change_passwd? && @user.check_password?(params[:new_password])
+          flash.now[:error] = l(:notice_new_password_must_be_different)
+        else
+          @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
+          @user.must_change_passwd = false
+          if @user.save
+            @token.destroy
+            Mailer.password_updated(@user)
+            flash[:notice] = l(:notice_account_password_updated)
+            redirect_to signin_path
+            return
+          end
          end
        end
        render :template => "account/password_recovery"
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 5 Mar 2017 09:16:16 +0000 (09:16 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 5 Mar 2017 09:16:16 +0000 (09:16 +0000)