Commit 33f4f161 authored by Mayra Cabrera's avatar Mayra Cabrera 🌴

Merge branch…

Merge branch 'security-users-can-update-their-password-without-entering-current-password' into 'master'

[Master] No longer allow password change without previous password being provided

See merge request gitlab/gitlabhq!2383
parents 046cc601 8417f74f
...@@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController ...@@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController
:linkedin, :linkedin,
:location, :location,
:name, :name,
:password,
:password_confirmation,
:public_email, :public_email,
:skype, :skype,
:twitter, :twitter,
......
---
title: Prevent user passwords from being changed without providing the previous password
merge_request:
author:
type: security
...@@ -3,6 +3,19 @@ require('spec_helper') ...@@ -3,6 +3,19 @@ require('spec_helper')
describe ProfilesController, :request_store do describe ProfilesController, :request_store do
let(:user) { create(:user) } let(:user) { create(:user) }
describe 'POST update' do
it 'does not update password' do
sign_in(user)
expect do
post :update,
user: { password: 'hello12345', password_confirmation: 'hello12345' }
end.not_to change { user.reload.encrypted_password }
expect(response.status).to eq(302)
end
end
describe 'PUT update' do describe 'PUT update' do
it 'allows an email update from a user without an external email address' do it 'allows an email update from a user without an external email address' do
sign_in(user) sign_in(user)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment