Password reset should count as a password change for User#must_change_passwd (#25253).

Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@16374 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 15:01:14 +00:00 · 2017-03-05 09:16:16 +00:00 · 2017-03-05 09:16:16 +00:00 · 89daf0f16a
commit 89daf0f16a
parent 6865c96d99
1 changed files with 12 additions and 7 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -80,13 +80,18 @@ class AccountController < ApplicationController
        return
      end
      if request.post?
-        @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
-        if @user.save
-          @token.destroy
-          Mailer.password_updated(@user)
-          flash[:notice] = l(:notice_account_password_updated)
-          redirect_to signin_path
-          return
+        if @user.must_change_passwd? && @user.check_password?(params[:new_password])
+          flash.now[:error] = l(:notice_new_password_must_be_different)
+        else
+          @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
+          @user.must_change_passwd = false
+          if @user.save
+            @token.destroy
+            Mailer.password_updated(@user)
+            flash[:notice] = l(:notice_account_password_updated)
+            redirect_to signin_path
+            return
+          end
        end
      end
      render :template => "account/password_recovery"