fix current password check on change password view (#690)

CPCN-489
superdesk · Dec 11, 2023 · f1a2002 · f1a2002
1 parent 355956f
commit f1a2002
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 8 deletions.
diff --git a/newsroom/auth/views.py b/newsroom/auth/views.py
@@ -394,18 +394,21 @@ def change_password():
                 if firebase_status == "OK":
                     flask.flash(gettext("Your password has been changed."), "success")
                 elif firebase_status == "auth/wrong-password":
-                    flask.flash(gettext("Wrong current password."), "error")
+                    flask.flash(gettext("Current password invalid."), "danger")
                 else:
                     log_firebase_unexpected_error(firebase_status)
+                return flask.redirect(flask.url_for("auth.change_password"))
         elif auth_provider.type == AuthProviderType.PASSWORD:
-            updates = {
-                "password": form.new_password.data,
-            }
-            get_resource_service("users").patch(id=ObjectId(user["_id"]), updates=updates)
-            flask.flash(gettext("Your password has been changed."), "success")
+            user_auth = get_auth_user_by_email(user["email"])
+            if not _is_password_valid(form.old_password.data.encode("UTF-8"), user_auth):
+                flask.flash(gettext("Current password invalid."), "danger")
+            else:
+                updates = {"password": form.new_password.data}
+                get_resource_service("users").patch(id=ObjectId(user["_id"]), updates=updates)
+                flask.flash(gettext("Your password has been changed."), "success")
+                return flask.redirect(flask.url_for("auth.change_password"))
         else:
             flask.flash(gettext("Change password is not available."), "warning")
-        return flask.redirect(flask.url_for("auth.change_password"))
 
     return flask.render_template(
         "change_password.html", form=form, user=user, firebase=app.config.get("FIREBASE_ENABLED")

diff --git a/tests/core/test_auth.py b/tests/core/test_auth.py
@@ -7,7 +7,7 @@
 
 from newsroom.auth.token import verify_auth_token
 from newsroom.auth.views import _is_password_valid
-from newsroom.tests.users import ADMIN_USER_ID, ADMIN_USER_EMAIL  # noqa
+from newsroom.tests.users import ADMIN_USER_EMAIL
 from tests.utils import login
 
 disabled_company = ObjectId()
@@ -575,3 +575,35 @@ def test_access_for_not_approved_user(client, app):
             json={"label": "bar", "query": "test", "notifications": True, "topic_type": "wire"},
         )
         assert 302 == resp.status_code, resp.get_data()
+
+
+def test_change_password(client, admin):
+    login(client, admin)
+    resp = client.get("/change_password")
+    assert 200 == resp.status_code
+
+    resp = client.post(
+        "/change_password",
+        data={
+            "old_password": "foo",
+            "new_password": "newpassword",
+            "new_password2": "newpassword",
+        },
+        follow_redirects=True,
+    )
+
+    assert 200 == resp.status_code
+    assert "Current password invalid" in resp.get_data(as_text=True)
+
+    resp = client.post(
+        "/change_password",
+        data={
+            "old_password": "admin",
+            "new_password": "newpassword",
+            "new_password2": "newpassword",
+        },
+        follow_redirects=True,
+    )
+
+    assert 200 == resp.status_code
+    assert "Your password has been changed" in resp.get_data(as_text=True)