2 files changed, 21 insertions, 1 deletions

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 6c1cc8d8e..81e794640 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -153,7 +153,8 @@ class UsersController < ApplicationController
   end
 
   def update
-    if params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)
+    is_updating_password = params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)
+    if is_updating_password
       @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation]
     end
     @user.safe_attributes = params[:user]
@@ -165,6 +166,7 @@ class UsersController < ApplicationController
     if @user.save
       @user.pref.save
 
+      Mailer.deliver_password_updated(@user, User.current) if is_updating_password
       if was_activated
         Mailer.deliver_account_activated(@user)
       elsif @user.active? && params[:send_information] && @user != User.current
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index c185f0eca..c963bf248 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -590,6 +590,24 @@ class UsersControllerTest < Redmine::ControllerTest
     assert_mail_body_match 'newpass123', mail
   end
 
+  def test_update_with_password_change_by_admin_should_send_a_security_notification
+    with_settings :bcc_recipients => '0' do
+      ActionMailer::Base.deliveries.clear
+      user = User.find_by(login: 'jsmith')
+
+      put :update, :params => {
+        :id => user.id,
+        :user => {:password => 'newpass123', :password_confirmation => 'newpass123'}
+      }
+
+      assert_equal 1, ActionMailer::Base.deliveries.size
+      mail = ActionMailer::Base.deliveries.last
+      assert_equal [user.mail], mail.to
+      assert_match 'Security notification', mail.subject
+      assert_mail_body_match 'Your password has been changed.', mail
+    end
+  end
+
   def test_update_with_generate_password_should_email_the_password
     ActionMailer::Base.deliveries.clear
     with_settings :bcc_recipients => '1' do