From 89daf0f16a7e51a52c010cfb197c5bbe51e4810f Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 5 Mar 2017 09:16:16 +0000 Subject: [PATCH] Password reset should count as a password change for User#must_change_passwd (#25253). MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@16374 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/account_controller.rb | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 54a29fbf4..f98603270 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -80,13 +80,18 @@ class AccountController < ApplicationController return end if request.post? - @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] - if @user.save - @token.destroy - Mailer.password_updated(@user) - flash[:notice] = l(:notice_account_password_updated) - redirect_to signin_path - return + if @user.must_change_passwd? && @user.check_password?(params[:new_password]) + flash.now[:error] = l(:notice_new_password_must_be_different) + else + @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] + @user.must_change_passwd = false + if @user.save + @token.destroy + Mailer.password_updated(@user) + flash[:notice] = l(:notice_account_password_updated) + redirect_to signin_path + return + end end end render :template => "account/password_recovery" -- 2.39.5