Merge branch 'user-new-password' into 'master'

Require current password even if password was expired

Fixes #1469

See merge request !1002

app/controllers/profiles/passwords_controller.rb

@@ -11,6 +11,11 @@ class Profiles::PasswordsController < ApplicationController
   end
 
   def create
+    unless @user.valid_password?(user_params[:current_password])
+      redirect_to new_profile_password_path, alert: 'You must provide a valid current password'
+      return
+    end
+
     new_password = user_params[:password]
     new_password_confirmation = user_params[:password_confirmation]
 

app/views/profiles/passwords/new.html.haml

@@ -11,6 +11,9 @@
         - @user.errors.full_messages.each do |msg|
           %li= msg
 
+  .form-group
+    = f.label :current_password, class: 'control-label'
+    .col-sm-10= f.password_field :current_password, required: true, class: 'form-control'
   .form-group
     = f.label :password, class: 'control-label'
     .col-sm-10= f.password_field :password, required: true, class: 'form-control'

features/steps/profile/profile.rb

@@ -145,6 +145,7 @@ class Profile < Spinach::FeatureSteps
   end
 
   step 'I submit new password' do
+    fill_in :user_current_password, with: '12345678'
     fill_in :user_password, with: '12345678'
     fill_in :user_password_confirmation, with: '12345678'
     click_button "Set new password"
@@ -179,7 +180,7 @@ class Profile < Spinach::FeatureSteps
     @group.add_owner(current_user)
     @project = create(:project, namespace: @group)
     @event   = create(:closed_issue_event, project: @project)
-    
+
     @project.team << [current_user, :master]
   end