Password reset should count as a password change for User#must_change_passwd (#25253).

Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@16374 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 15:01:14 +00:00 · 2017-03-05 09:16:16 +00:00 · 2017-03-05 09:16:16 +00:00 · 89daf0f16a
commit 89daf0f16a
parent 6865c96d99
1 changed files with 12 additions and 7 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -80,7 +80,11 @@ class AccountController < ApplicationController
        return
      end
      if request.post?
+        if @user.must_change_passwd? && @user.check_password?(params[:new_password])
+          flash.now[:error] = l(:notice_new_password_must_be_different)
+        else
          @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
+          @user.must_change_passwd = false
          if @user.save
            @token.destroy
            Mailer.password_updated(@user)
@ -89,6 +93,7 @@ class AccountController < ApplicationController
            return
          end
        end
+      end
      render :template => "account/password_recovery"
      return
    else