Force user to provide old password in order to change it

1328e8f6 · Dmitriy Zaporozhets · Wes Gurney · 20ddb964 · 1328e8f6 · 1328e8f6
Commit 1328e8f6 authored 11 years ago by Dmitriy Zaporozhets Committed by Wes Gurney 11 years ago
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -33,7 +33,14 @@ class ProfilesController < ApplicationController
  end
  
  def update_password
-    params[:user].reject!{ |k, v| k != "password" && k != "password_confirmation"}
+    params[:user].select! do |key, value|
+      %w(current_password password password_confirmation).include?(key.to_s)
+    end
+
+    unless @user.valid_password?(params[:user][:current_password])
+      redirect_to account_profile_path, alert: 'You must provide a valid current password'
+      return
+    end
  
    if @user.update_attributes(params[:user])
      flash[:notice] = "Password was successfully updated. Please login with it"

--- a/app/views/profiles/account.html.haml
+++ b/app/views/profiles/account.html.haml
@@ -57,24 +57,33 @@
      .tab-pane#tab-password
        %fieldset.update-password
          %legend Password
-          = form_for @user, url: update_password_profile_path, method: :put do |f|
-            %div
-              %p.slead After a successful password update you will be redirected to login page where you should login with your new password
-              -if @user.errors.any?
-                .alert.alert-error
-                  %ul
-                    - @user.errors.full_messages.each do |msg|
-                      %li= msg
-              .control-group
-                = f.label :password
-                .controls= f.password_field :password, required: true
-              .control-group
-                = f.label :password_confirmation
-                .controls
-                  = f.password_field :password_confirmation, required: true
-              .control-group
-                .controls
-                  = f.submit 'Save password', class: "btn btn-save"
+          - if current_user.ldap_user?
+            %h3.nothing_here_message Not available for LDAP user
+          - else
+            = form_for @user, url: update_password_profile_path, method: :put do |f|
+              %div
+                %p.slead
+                  You must provide current password in order to change it.
+                  %br
+                  After a successful password update you will be redirected to login page where you should login with your new password
+                -if @user.errors.any?
+                  .alert.alert-error
+                    %ul
+                      - @user.errors.full_messages.each do |msg|
+                        %li= msg
+                .control-group
+                  = f.label :current_password, class: 'cgreen'
+                  .controls= f.password_field :current_password, required: true
+                .control-group
+                  = f.label :password, 'New password'
+                  .controls= f.password_field :password, required: true
+                .control-group
+                  = f.label :password_confirmation
+                  .controls
+                    = f.password_field :password_confirmation, required: true
+                .control-group
+                  .controls
+                    = f.submit 'Save password', class: "btn btn-save"
  
      - if show_profile_social_tab?
        .tab-pane#tab-social

--- a/features/profile/profile.feature
+++ b/features/profile/profile.feature
@@ -11,6 +11,12 @@ Feature: Profile
    Then I change my contact info
    And I should see new contact info
  
+  Scenario: I change my password without old one
+    Given I visit profile account page
+    When I try change my password w/o old one
+    Then I should see a missing password error message
+    And I should be redirected to account page
+
  Scenario: I change my password
    Given I visit profile account page
    Then I change my password

--- a/features/steps/profile/profile.rb
+++ b/features/steps/profile/profile.rb
@@ -22,8 +22,17 @@ class Profile < Spinach::FeatureSteps
    @user.twitter.should == 'testtwitter'
  end
  
+  step 'I try change my password w/o old one' do
+    within '.update-password' do
+      fill_in "user_password", with: "222333"
+      fill_in "user_password_confirmation", with: "222333"
+      click_button "Save"
+    end
+  end
+
  step 'I change my password' do
    within '.update-password' do
+      fill_in "user_current_password", with: "123456"
      fill_in "user_password", with: "222333"
      fill_in "user_password_confirmation", with: "222333"
      click_button "Save"
@@ -32,12 +41,17 @@ class Profile < Spinach::FeatureSteps
  
  step 'I unsuccessfully change my password' do
    within '.update-password' do
+      fill_in "user_current_password", with: "123456"
      fill_in "user_password", with: "password"
      fill_in "user_password_confirmation", with: "confirmation"
      click_button "Save"
    end
  end
  
+  step "I should see a missing password error message" do
+    page.should have_content "You must provide a valid current password"
+  end
+
  step "I should see a password error message" do
    page.should have_content "Password doesn't match confirmation"
  end
@@ -110,6 +124,10 @@ class Profile < Spinach::FeatureSteps
    current_path.should == new_user_session_path
  end
  
+  step 'I should be redirected to account page' do
+    current_path.should == account_profile_path
+  end
+
  step 'I click on my profile picture' do
    click_link 'profile-pic'
  end