diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py index 0b6a7e1d2..8857bdaa0 100644 --- a/Allura/allura/controllers/auth.py +++ b/Allura/allura/controllers/auth.py @@ -167,7 +167,7 @@ def create_account(self, **kw): c.form = F.registration_form return dict() - def _validate_hash(self, hash): + def _validate_hash(self, hash) -> M.User: login_url = config.get('auth.login_url', '/auth/') if not hash: redirect(login_url) @@ -206,7 +206,12 @@ def set_new_password(self, hash=None, pw=None, pw2=None): if not provider.forgotten_password_process: raise wexc.HTTPNotFound() user = self._validate_hash(hash) - enforce_hibp_password_check(provider, pw, f'/auth/forgotten_password/{hash}') + restart_url = f'/auth/forgotten_password/{hash}' + enforce_hibp_password_check(provider, pw, restart_url) + + if provider._validate_password(user, pw): + flash('Your old and new password should not be the same', 'error') + redirect(restart_url) user.set_password(pw) user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='') # Clear password reset token diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index 7309495c9..3ca7741d0 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -1743,6 +1743,17 @@ def test_password_reset(self, gen_message_id, sendsimplemail): assert 'New Password:' in r assert 'New Password (again):' in r form = r.forms[0] + form['pw'] = form['pw2'] = 'foo' # old password + with h.push_config(config, **{'auth.min_password_len': 3}): + r = form.submit() + print(r) + if r.status == 200: + assert [] == r.html.findAll(attrs={'class': 'fielderror'}) + assert 'Your old and new password should not be the same' in self.webflash(r) + r = r.follow() + + # fill it out correctly + form = r.forms[0] form['pw'] = form['pw2'] = new_password = '154321' with td.audits(r'Password changed \(through recovery process\)', user=True): # escape parentheses, so they would not be treated as regex group